CyberSecurityBoard
Sponsor Register Login

Multiple Flaws in Google Kubernetes Engine

Google Kubernetes Engine has been detected with two flaws that a threat actor can utilize to create significant damage in case the threat actor already has access inside the Kubernetes cluster.
The first issue was associated with FluentBit with default configuration.
FluentBit is GKE's logging agent that runs by default on all the clusters.
The second issue was linked to Anthos Service Mesh, which has default privileges.
If an attacker gains enough privilege inside a FluentBit container, which also has ASM installed, the threat actor can create an attack chain that could result in complete control over the Kubernetes cluster.
Post this, the threat actor can perform various actions such as data theft, deployment of malicious pods, or even disruption of the Kubernetes cluster's operations.
Google fixed this configuration issue in mid-December 2023.
In this step, each pod inside the FluentBit mounted volume contains a kube-api-access volume that has the projected service account token.
This token is used to communicate with the Kubernetes API, which is sensitive information.
If the FluentBit pod is compromised, the threat actor can use any token of any pod on the node.
The threat actor can also impersonate a pod and gain privileged access inside the Kubernetes API server, followed by several malicious actions such as mapping the entire cluster, listing all the running pods, etc.
This step involves the exploitation of ASM's Container Network Interface DaemonSet, which keeps excessive privileges after installation.
While ASM is enabled, Istio-cni-node DaemonSet is also installed in the cluster.
This Daemonset is used for installing and configuring the Istio CNI plugin on each node in the cluster, and it also has higher permissions to perform tasks.
To chain these exploits, the pod must have an ASM feature installed, and the threat actor must gain privileged access inside the Kubernetes cluster.
Once these two prerequisites are fulfilled, the threat actor can chain these exploits.
The threat actor can perform a task after taking control of the FluentBit container by exploiting the default configuration.
The threat actor can have access to the kube-api-access- directory that has all the tokens from all the pods in the node.
From there, the threat actor can perform any malicious actions and gain complete control over the Kubernetes cluster.
A complete report about these two issues has been published by Palo Alto, providing detailed information about the privileges, concepts, exploitation, and other information.


This Cyber News was published on gbhackers.com. Publication date: Tue, 02 Jan 2024 13:43:04 +0000


Cyber News related to Multiple Flaws in Google Kubernetes Engine

Auditing Kubernetes with Open Source SIEM and XDR - Container technology has gained traction among businesses due to the increased efficiency it provides. In this regard, organizations widely use Kubernetes for deploying, scaling, and managing containerized applications. Organizations should audit ...
1 year ago Thehackernews.com
Rootkit Turns Kubernetes from Orchestration to Subversion - As software development focuses on continuous integration and deployment, orchestration platforms like Kubernetes have taken off, but that popularity has put them in attackers' crosshairs. Most successful attacks - at least those publicly reported - ...
1 year ago Darkreading.com
Protecting against new Kubernetes threats in 2024 and beyond - A wave of new attacks targeted Kubernetes in 2023: Dero and Monero crypto miners, Scarleteel and RBAC-Buster. Finding an initial foothold with a web app vulnerability, then moving laterally is the hallmark of a Kubernetes attack. Understanding the ...
11 months ago Venturebeat.com
XM Cyber Launches Kubernetes Exposure Management to Intelligently Protect Critical Container Environments - PRESS RELEASE. HERZLIYA, Israel, Nov. 29, 2023 /PRNewswire/ - XM Cyber, the leader in hybrid cloud exposure management, today announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes ...
1 year ago Darkreading.com
Multiple Flaws in Google Kubernetes Engine - Google Kubernetes Engine has been detected with two flaws that a threat actor can utilize to create significant damage in case the threat actor already has access inside the Kubernetes cluster. The first issue was associated with FluentBit with ...
11 months ago Gbhackers.com
Google Cloud Next 2024: New Data Center Chip Joins Ecosystem - Google Cloud announced a new enterprise subscription for Chrome and a bevy of generative AI add-ons for Google Workspace during the Cloud Next '24 conference, held in Las Vegas from April 9 - 11. Overall, Google Cloud is putting its Gemini generative ...
7 months ago Techrepublic.com
Patch Now: Kubernetes RCE Flaw Allows Full Takeover of Windows Nodes - A security bug in the widely used Kubernetes container-management system allows attackers to remotely execute code with System privileges on Windows endpoints, potentially leading to full takeover of all Windows nodes within a Kubernetes cluster. ...
8 months ago Darkreading.com
Kubernetes Vulnerability Let Attackers Take Full System Control - A new vulnerability, CVE-2023-5528, has been discovered with Kubernetes. This vulnerability is associated with a command injection vulnerability that leads to remote code execution with SYSTEM-level privileges on the compromised Windows node. The ...
8 months ago Gbhackers.com
Kubernetes DaemonSet: Monitoring in Kubernetes - That's why it makes sense to collect logs from every node and send them to some sort of central location outside the Kubernetes cluster for persistence and later analysis. A DaemonSet in Kubernetes is a specific kind of workload controller that ...
11 months ago Feeds.dzone.com
Dual Privilege Escalation Chain: Exploiting Monitoring and Service Mesh Configurations and Privileges in GKE to Gain Unauthorized Access in Kubernetes - While each issue might not result in significant damage on its own, when combined they create an opportunity for an attacker who already has access to a Kubernetes cluster to escalate their privileges. If an attacker has the ability to execute in the ...
11 months ago Unit42.paloaltonetworks.com
Frustration grows over Google's AI Overviews feature, how to disable - Since Google enabled its AI-powered search feature, many people have tried and failed to disable the often incorrect AI Overviews feature in regular search results. When you're signed into Google and search for general topics like how to install one ...
6 months ago Bleepingcomputer.com
The Kubernetes Cost Features You Need in 2024 - In the rapidly evolving Kubernetes ecosystem, managing costs effectively is as critical as ensuring operational efficiency. To make the most of your shift to cloud native technologies in 2024, you need a roadmap to Kubernetes cost optimization, ...
11 months ago Securityboulevard.com
Falcon Cloud Security Supports Google Cloud Run to Strengthen Serverless Application Security - We're thrilled to share that the CrowdStrike Falcon® sensor now fully supports Google Cloud Run, bringing advanced security capabilities to your serverless applications. While we announced this at Google Cloud Next in April 2024, this blog goes ...
5 months ago Crowdstrike.com
5 open-source tools for pentesting Kubernetes you should check out - Kubernetes, often called K8s, is an open-source platform designed to automate the deployment, scaling, and operations of containerized applications. Kubernetes has become a critical part of the infrastructure for many organizations. With its ...
11 months ago Helpnetsecurity.com
Ahead of Regulatory Wave: Google's Pivotal Announcement for EU Users - Users in the European Union will be able to prevent Google services from sharing their data across different services if they do not wish to share their data. Google and five other large technology companies must comply with the EU's Digital Markets ...
10 months ago Cysecurity.news
Discovering SSRF Flaws in Microsoft Azure Services - Microsoft Azure is an incredibly popular cloud computing platform and its services are used around the world. Recently, security researchers uncovered several Server-Side Request Forgery (SSRF) flaws in many of Microsoft Azure’s services. This type ...
1 year ago Securityaffairs.com
Versions 14 and 13 of Android are Vulnerable to New Lock Screen Bypass Exploits - Using Android 14 and 13 smartphones, a newly discovered bug allowing the user to bypass the lock screen can compromise sensitive information from Google accounts stored in users' Google accounts, according to security researcher Jose Rodriguez. It ...
11 months ago Cysecurity.news
Vulnerability prioritization in Kubernetes: unpacking the complexity - One particularly significant aspect to consider is vulnerability prioritization. We'll explore practical prioritization strategies tailored to Kubernetes and discuss the significance of effective vulnerability patching. A vulnerability in a pod that ...
11 months ago Securityboulevard.com
Helm: Simplifying Kubernetes Deployments - As a Kubernetes package manager, Helm greatly streamlines and simplifies deployment processes. In this article, we will delve deeply into Helm and explore how it facilitates the easier management of Kubernetes deployments. Templates: Helm uses ...
10 months ago Feeds.dzone.com
Guarding Kubernetes From the Threat Landscape - DZone - If compromised, attackers can exploit these broad permissions to manipulate deployments, introduce malicious code, gain unauthorized access to critical systems, steal sensitive data, or create backdoors for ongoing access. Part of the security ...
2 months ago Feeds.dzone.com
Google paid $10 million in bug bounty rewards last year - Google awarded $10 million to 632 researchers from 68 countries in 2023 for finding and responsibly reporting security flaws in the company's products and services. Though this is lower than the $12 million Google's Vulnerability Reward Program paid ...
8 months ago Bleepingcomputer.com
Google says spyware vendors behind most zero-days it discovers - Commercial spyware vendors were behind 80% of the zero-day vulnerabilities Google's Threat Analysis Group discovered in 2023 and used to spy on devices worldwide. Zero-day vulnerabilities are security flaws the vendors of impacted software do not ...
9 months ago Bleepingcomputer.com
Google promises a rescue patch for Android 14's "ransomware" bug - So Android 14 has this pretty horrible storage bug for upgrading users. Bugs are always going to happen, but the big problem with this is that Google has seemingly been ignoring it, and on Friday we wrote about how users have been piling up hundreds ...
1 year ago Arstechnica.com
Over 1,450 pfSense servers exposed to RCE attacks via bug chain - Roughly 1,450 pfSense instances exposed online are vulnerable to command injection and cross-site scripting flaws that, if chained, could enable attackers to perform remote code execution on the appliance. PfSense is a popular open-source firewall ...
11 months ago Bleepingcomputer.com
Researchers Claim Design Flaw in Google Workspace Puts Organizations at Risk - Google is disputing a security vendor's report this week about an apparent design weakness in Google Workspace that puts users at risk of data theft and other potential security issues. According to Hunters Security, a flaw in Google Workspace's ...
1 year ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)