Google Cloud recently fixed a security flaw in its Kubernetes clusters that could have let hackers with limited access gain complete control.
The problem was with Fluent Bit, a logging tool, and Anthos Service Mesh, a service management platform. If a hacker breaks into a Fluent Bit container, they can use the elevated privileges of the Anthos service mesh to take over the entire cluster.
Google has now resolved the issue and confirmed that the vulnerabilities were not used maliciously. They also provided updated versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) that are protected against this vulnerability:
- 1.25.16-gk.10200000
- 1.26.10-gk.1235000
- 1.27.7-gk.1293000
- 1.28.4-gk.1083000
- 1.17.8-asm.8
- 1.18.6-asm.2
- 1.19.5-asm.4
Unit 42, Palo Alto Networks’ cybersecurity team, initially discovered the issue. They warned that the flaw could lead to data theft, malicious software deployment, or disruption to the cluster’s operation. But, the attacker must first break the Fluent Bit container.
Read more Baidu’s ChatGPT-like Ernie bot has more than 100 million users
Fluent Bit in GKE processed logs and obtained access tokens from Kubernetes service accounts that could be exploited. A hacker can use these tokens to create a new pod with top-level administrator rights, giving them full control over the cluster.
Security expert Shaul Ben Hai reported that the CRAC (ClusterRole-Aggregation-Controller) service account was particularly vulnerable, as it could grant broad permissions, making the attack more serious. However, with Google’s recent improvements, these concerns have been addressed.
