While each issue might not result in significant damage on its own, when combined they create an opportunity for an attacker who already has access to a Kubernetes cluster to escalate their privileges.
If an attacker has the ability to execute in the FluentBit container and the cluster has ASM installed, they can create a single powerful chain to gain complete control of a Kubernetes cluster.
For a better understanding of the attack scenario we will explain two of them: DaemonSets and role-based access control.
RBAC is an important security feature in Kubernetes because it helps prevent accidental privilege escalation and unauthorized access.
Second-stage cloud attacks are a type of attack where the attacker has already gained some level of access to the Kubernetes cluster.
The attacker will then look to spread into the cluster or escalate their privilege and they will search for misconfigurations or other vulnerabilities to do so.
The two issues described in this post can be chained as a part of a second-stage attack to gain full control of a Kubernetes cluster.
Since this is a second-stage attack, the attacker must first exploit the FluentBit container by discovering a remote code execution or arbitrary file read vulnerability, or otherwise breaking out of another container to gain access to the Node.
If an attacker compromises the FluentBit pod, it would have access to its volume, and they could use any token of any pod on the node.
Using the pod token, the attacker can impersonate a pod with privileged access to the Kubernetes API server and gain unauthorized access to the cluster.
Besides gaining unauthorized access to the cluster, an attacker can escalate their privilege or perform harmful actions.
Chaining the two issues we've discussed together allows an attacker to gain complete control over the Kubernetes cluster by escalating privileges to cluster admin.
After understanding the Kubernetes concepts and the issues, let's see how we can leverage them to gain privileged access to the cluster as a cluster admin.
Once the attacker has gained privileged access to the Kubernetes cluster - a task that can be done by taking control of the FluentBit container - an attacker can exploit the default configuration of a FluentBit container to mount the /var/lib/kubelet/pods volume.
For this to be a meaningful privilege escalation, the attacker would need to target a powerful service account.
The attacker can update the cluster role bound to CRAC to possess all privileges.
Figure 6 shows how the attacker will grant the CRAC's service account in the pod's YAML file and they will finally save the token in one of their own volume folders.
Unit 42 researchers were the first to combine the FluentBit vulnerability with ASM's CNI DaemonSet privileges to an attack chain that eventually allows escalating to cluster admin privileges.
This post demonstrates how an attacker can use two issues in system pods and add-on pods to escalate privileges and gain admin permissions.
Palo Alto Networks Prisma Cloud is a cloud security platform that are designed to help you protect your Kubernetes cluster from a variety of threats, including attacks that target system pods and add-on pods.
This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Wed, 27 Dec 2023 14:43:05 +0000