An overlooked vulnerability in the authentication system of Google Kubernetes Engine (GKE) could lead to potentially catastrophic cybersecurity incidents, according to a statement from researchers. The security loophole, identified by Orca Security under the name of Sys:All, might enable malicious actors outside an organization to access private Kubernetes container clusters. This could result in a variety of serious security breaches, such as cryptomining, denial-of-service (DoS) attacks, and the theft of sensitive data. These revelations have raised red flags for cloud security professionals and IT administrators across the industry.
Individuals were found to have inadvertently granted Kubernetes privileges to the “system:authenticated” group, mistakenly assuming that it was exclusive to organization-authorized and verified GKE users. However, the group includes any Google-authenticated account, including those outside the organization, researchers reported. This gaping hole in the security protocol could potentially put organizations at risk. Orca researchers reported that they were able to locate 250,000 active GKE clusters, of which 1,300 were potentially vulnerable to the Sys:All attacks. Within that subset, 108 clusters were found to be easily exploitable, allowing unauthorized access, as well as the viewing or deletion of critical system data.
The Orca Research team has reported that the compromised clusters are merely a fraction of the total GKE clusters that are at risk. The research team’s senior security researcher, Roi Nimisi, expressed a grave concern that over a million vulnerable GKE clusters are expected to be susceptible to this line of attack. This significant vulnerability has been made even more apparent by the researchers’ proof-of-concept demonstrations showing the ability to penetrate isolated GKE clusters, gaining unauthorized access.
In addition to the exposure of a Nasdaq-listed company’s system data, Orca’s exploration of other exposed GKE clusters has revealed access to sensitive data across various organizations, including exposure of Google Cloud Platform (GCP) API keys and service account JSONs, private keys, and other confidential data stored on containers or registries.
As a response to Orca’s revelations, Google has released a security bulletin outlining various preventive measures to address the issue. Due to the impracticality of implementing changes to regular user behaviors within the GKE authentication system, Google has moved to block the binding of the “system:authenticated” group to the cluster-admin role starting from GKE version 1.28. Users have been advised to upgrade promptly to take advantage of the new security features offered in newer versions of GKE and are strongly recommended to minimize access privileges and continually monitor and adjust them to maintain security within the organization.
The Orca research team has demonstrated the critical need for organizations to follow the principle of least privilege, meaning that they should only grant users privileges to cloud assets that are necessary for their specific roles within the organization.
Customers have been encouraged to consider using a reputable cloud security platform to help them find all potentially vulnerable Kubernetes clusters, tighten permissions, and ensure continuous security monitoring.
According to a Google spokesperson, the company has created a Vulnerability Rewards Program specifically to “identify security events with potential customer impact.” Google has publicly recognized the value of Orca Security’s research and has issued a security bulletin advising affected GKE users to implement the necessary security measures to protect themselves. The company has also assured it is working closely with Orca Research to integrate its findings into an ongoing response to fortify GKE’s security mechanisms.