Misconfiguration exposes GKE clusters to takeover

Researchers from cloud security firm Orca have discovered that a widespread misunderstanding of a key authentication parameter in Google Kubernetes Engine leaves clusters at risk of takeover.

Orca Security has presented two detailed technical explanations of the issue here and here.

The summary is simple: the takeover can be exploited by “an attacker with any Google account”.

“The loophole, which we dubbed Sys:All, stems from a likely widespread misconception that the system:authenticated group in Google Kubernetes Engine (GKE) includes only verified and deterministic identities, whereas in fact, it includes any Google authenticated account (including outside the organisation),” Orca explained. 

“This misunderstanding then creates a significant security loophole when administrators unknowingly bind this group with overly permissive roles.”

The Sys:All name indicates that if someone is able to exploit the authentication mechanism, they get extensive access to the target cluster.

“These misconfigurations led to the exposure of various sensitive data types, including JWT tokens, GCP API keys, AWS keys, Google OAuth credentials, and private keys,” Orca wrote.

They gave the example of an unnamed “publicly traded company where this misconfiguration resulted in extensive unauthorized access, potentially leading to system-wide security breaches.”

Google’s response

While the vulnerabilities stem from a misunderstanding of the system:authenticated group, Google has made changes (detailed in this security bulletin) in GKE version 1.28 it said are designed to reduce the risk of “users making authorisation errors with the Kubernetes built-in users and groups, including system:anonymous, system:authenticated, and system:unauthenticated”.

These actions include blocking new bindings of the highly privileged admin role to those groups.

Orca also discovered that a Sys:All attack left almost no trails, so Google has added detection rules into its security command centre, along with adding prevention rules to the policy controller.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts