A new vulnerability has been found in Google Kubernetes Engine (GKE) that could potentially allow threat actors to exploit misconfigured clusters and access sensitive information. The vulnerability, known as “Sys:all”, affects more than 250,000 active GKE clusters, raising concerns about the security and integrity of the data stored in these clusters.
Security researchers identified this vulnerability due to the misconfiguration of Role Based Access Control (RBAC) bindings, which gave the system:authenticated group excessive privileges. As a result, any Google account holder could potentially access and control vulnerable clusters, posing a significant security risk to the organizations using GKE.
The implications of this vulnerability are alarming, as threat actors could potentially use these compromised clusters for various malicious activities such as crypto mining, denial of service attacks, and data theft. Additionally, the vulnerability could expose sensitive information stored in the clusters, increasing the risk of a data breach for organizations.
Reports shared with Cyber Security News revealed that researchers conducted an internet-wide scan to identify clusters that could potentially be exploited, including some publicly traded companies. Using a Python script and a Google authentication token, the researchers were able to interact with the Kubernetes API of these clusters and attempt to map them to their respective organizations. This information could potentially reveal the owners of the clusters and the impact of the exploitation.
The targeted data points in the compromised clusters included configmaps, Kubernetes secrets, service account details, and other critical operational data, all of which could provide valuable information for attacking an organization. The exploit of these misconfigurations had far-reaching implications, including allowing unauthorized access to AWS credentials within a cluster’s configmap. This could potentially provide access to sensitive information stored in S3 buckets and other valuable endpoints such as RabbitMQ, Elastic, and internal systems, all of which could be accessed with administrator privileges.
The attack flow of the vulnerability allowed cluster-admin permissions to the system:authenticated group, enabling the querying of multiple valuable resources using the Kubernetes API. Exposed AWS credentials within a bash script were further used to access S3 buckets for listing and downloading contents, some of which contained log files with operational data. This allowed the researchers to find administrator credentials that could be used to log into various systems, including an internal platform.
The extent of this vulnerability and its potential impact on organizations using GKE is concerning, as it exposes the security weaknesses in misconfigured clusters and emphasizes the importance of implementing robust security measures to protect sensitive data. The discovery of this loophole highlights the need for organizations to closely monitor and secure their Kubernetes clusters to prevent unauthorized access and potential data breaches. As threat actors continue to exploit such vulnerabilities, it is crucial for organizations to take proactive steps to mitigate risk and ensure the security of their data.