Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Google Cloud says it has fixed a significant security flaw

Image of someone clicking a cloud icon.

Google Cloud has patched a vulnerability that may have allowed malicious actors with access to a Kubernetes cluster to elevate their privileges and wreak havoc. 

"An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster," the company said in an advisory.

"The issues with Fluent Bit and Anthos Service Mesh have been mitigated and fixes are now available. These vulnerabilities are not exploitable on their own in GKE and require an initial compromise."

Data theft

Google also claims it found no evidence of the vulnerabilities being exploited in the wild.

As for the fixes, these are the versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) that are protected:

1.25.16-gke.1020000
1.26.10-gke.1235000
1.27.7-gke.1293000
1.28.4-gke.1083000
1.17.8-asm.8
1.18.6-asm.2
1.19.5-asm.4

The vulnerability was first discovered by Unit 42, the cybersecurity arm of Palo Alto Networks, TheHackerNews reports. In its report, Unit 42 says the flaws could be used for data theft, the deployment of malicious pods, and disruption of the cluster's operations. However, to make it work, the attacker needs to have a compromised Fluent Bit container in advance.

"GKE uses Fluent Bit to process logs for workloads running on clusters," Google explains further. "Fluent Bit on GKE was also configured to collect logs for Cloud Run workloads. The volume mount configured to collect those logs gave Fluent Bit access to Kubernetes service account tokens for other Pods running on the node."

In other words, a hacker could use a Kubernetes cluster with ASM enabled, and then use the ASM service account token to create a new pod with cluster-admin privileges, effectively escalating their privileges to the highest tier.

"The clusterrole-aggregation-controller (CRAC) service account is probably the leading candidate, as it can add arbitrary permissions to existing cluster roles," security researcher Shaul Ben Hai said. "The attacker can update the cluster role bound to CRAC to possess all privileges."

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.