Cybersecurity experts recently found a loophole in Google Kubernetes Engine (GKE) that could allow attackers with a Google account to seize control of a Kubernetes cluster. This vulnerability, named Sys:All by cloud security firm Orca, affects an estimated 250,000 active GKE clusters in the wild.
According to a report shared with The Hacker News by security researcher Ofir Yakobi, the issue arises from a common misconception about the system:authenticated group in GKE. Many believed it included only verified and specific identities, but, in reality, it encompasses any Google authenticated account, even those outside the organization.
The system:authenticated group is a special category that includes all authenticated entities, such as human users and service accounts. This becomes problematic when administrators unintentionally grant it overly permissive roles.
In practical terms, an external threat actor with a Google account could exploit this misconfiguration by using their Google OAuth 2.0 bearer token to take control of the cluster. This unauthorized access could lead to various malicious activities, including lateral movement, cryptomining, denial-of-service attacks, and theft of sensitive data.
Compounding the issue, this method doesn't leave a trace that can be traced back to the original Gmail or Google Workspace account that obtained the OAuth bearer token.
Sys:All has already impacted numerous organizations, resulting in the exposure of sensitive data such as JWT tokens, GCP API keys, AWS keys, Google OAuth credentials, private keys, and credentials to container registries. The last of these could be used to compromise container images.
Following responsible disclosure to Google, the company has taken steps to address the vulnerability. In GKE versions 1.28 and later, Google has blocked the binding of the system:authenticated group to the cluster-admin role.
In its documentation, Google now advises users: "To help secure your clusters against mass malware attacks that exploit cluster-admin access misconfigurations, GKE clusters running version 1.28 and later won't allow you to bind the cluster-admin ClusterRole to the system:anonymous user or to the system:unauthenticated or system:authenticated groups."
Google also recommends users not to bind the system:authenticated group to any RBAC roles and to assess whether clusters have unsafe bindings to the group using both ClusterRoleBindings and RoleBindings, removing them if necessary.
Orca cautions that while there's no public record of large-scale attacks using this method, it could be just a matter of time. Users are urged to take appropriate measures to secure their cluster access controls.
"Even though this is an improvement, it is important to note that this still leaves many other roles and permissions that can be assigned to the group," warned Orca.
siem nist 800-53 mft fortra vulnerabilities cve-2024-0204 goanywhere mft vulnerability management cyber incident which threat actors sell their knowledge to other attackers or governments? periodic help to evaluate opsec effectiveness which kind of virus operates only in memory and usually exploits a trusted application like powershell to circumvent traditional endpoint security solutions? kile is assigned a role as a grey box penetration tester in the financial sector. he has to conduct a pen testing attack on all the application servers in the network. which of the following tasks should he perform first while conducting a penetration testing attack on a network? a collection of zombie computers have been set up to collect personal information. which type of malware do the zombie computers represent? fortra goanywhere alice, a vulnerability assessment engineer at a bank, is told to find all the vulnerabilities on an internet-facing web application server running on port https. when she finishes the vulnerability scan, she finds several different vulnerabilities at different levels. how should she proceed? khalid joins a security team where he is assigned an soc developer role and has to build different teams under soc. which of the following teams should he build to deal with providing real-time feedback related to security incidents and threat detections, which can then be utilized to facilitate better prioritization of threats and a mature way of detecting threats? compliments, misinformation, feigning ignorance, and being a good listener are tactics of which social engineering technique? fortra goanywhere mft goanywhere vulnerability which windows network location enables network discovery and allows files and printers to be easily shared? a technician is installing a new soho wireless router. which of the following is the first thing the technician should do to secure the router? a type of malware that prevents the system from being used until the victim pays the attacker money is known as what? which of the following tools can be used to scan 16 ip addresses for vulnerabilities? which of the following could an employee also be known as?