Google Cloud says it has fixed a significant security flaw

Image of someone clicking a cloud icon.
Image Credit: Shutterstock (Image credit: Shutterstock)

Google Cloud has patched a vulnerability that may have allowed malicious actors with access to a Kubernetes cluster to elevate their privileges and wreak havoc. 

"An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster," the company said in an advisory.

"The issues with Fluent Bit and Anthos Service Mesh have been mitigated and fixes are now available. These vulnerabilities are not exploitable on their own in GKE and require an initial compromise."

Data theft

Google also claims it found no evidence of the vulnerabilities being exploited in the wild.

As for the fixes, these are the versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) that are protected:

1.25.16-gke.1020000
1.26.10-gke.1235000
1.27.7-gke.1293000
1.28.4-gke.1083000
1.17.8-asm.8
1.18.6-asm.2
1.19.5-asm.4

The vulnerability was first discovered by Unit 42, the cybersecurity arm of Palo Alto Networks, TheHackerNews reports. In its report, Unit 42 says the flaws could be used for data theft, the deployment of malicious pods, and disruption of the cluster's operations. However, to make it work, the attacker needs to have a compromised Fluent Bit container in advance.

"GKE uses Fluent Bit to process logs for workloads running on clusters," Google explains further. "Fluent Bit on GKE was also configured to collect logs for Cloud Run workloads. The volume mount configured to collect those logs gave Fluent Bit access to Kubernetes service account tokens for other Pods running on the node."

In other words, a hacker could use a Kubernetes cluster with ASM enabled, and then use the ASM service account token to create a new pod with cluster-admin privileges, effectively escalating their privileges to the highest tier.

"The clusterrole-aggregation-controller (CRAC) service account is probably the leading candidate, as it can add arbitrary permissions to existing cluster roles," security researcher Shaul Ben Hai said. "The attacker can update the cluster role bound to CRAC to possess all privileges."

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.