“An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster,” the company said in an advisory.
“The issues with Fluent Bit and Anthos Service Mesh have been mitigated and fixes are now available. These vulnerabilities are not exploitable on their own in GKE and require an initial compromise.”
Google also claims it found no evidence of the vulnerabilities being exploited in the wild.
As for the fixes, these are the versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) that are protected:
The vulnerability was first discovered by Unit 42, the cybersecurity arm of Palo Alto Networks, TheHackerNews reports. In its report, Unit 42 says the flaws could be used for data theft, the deployment of malicious pods, and disruption of the cluster’s operations. However, to make it work, the attacker needs to have a compromised Fluent Bit container in advance.
“GKE uses Fluent Bit to process logs for workloads running on clusters,” Google explains further. “Fluent Bit on GKE was also configured to collect logs for Cloud Run workloads. The volume mount configured to collect those logs gave Fluent Bit access to Kubernetes service account tokens for other Pods running on the node.”
In other words, a hacker could use a Kubernetes cluster with ASM enabled, and then use the ASM service account token to create a new pod with cluster-admin privileges, effectively escalating their privileges to the highest tier.
“The clusterrole-aggregation-controller (CRAC) service account is probably the leading candidate, as it can add arbitrary permissions to existing cluster roles,” security researcher Shaul Ben Hai said. “The attacker can update the cluster role bound to CRAC to possess all privileges.”