Researchers from cloud security firm Orca have discovered that a widespread misunderstanding of a key authentication parameter in Google Kubernetes Engine leaves clusters at risk of takeover.
Orca Security has presented two detailed technical explanations of the issue here and here.
The summary is simple: the takeover can be exploited by “an attacker with any Google account”.
“The loophole, which we dubbed Sys:All, stems from a likely widespread misconception that the system:authenticated group in Google Kubernetes Engine (GKE) includes only verified and deterministic identities, whereas in fact, it includes any Google authenticated account (including outside the organisation),” Orca explained.
“This misunderstanding then creates a significant security loophole when administrators unknowingly bind this group with overly permissive roles.”
The Sys:All name indicates that if someone is able to exploit the authentication mechanism, they get extensive access to the target cluster.
“These misconfigurations led to the exposure of various sensitive data types, including JWT tokens, GCP API keys, AWS keys, Google OAuth credentials, and private keys," Orca wrote.
They gave the example of an unnamed “publicly traded company where this misconfiguration resulted in extensive unauthorized access, potentially leading to system-wide security breaches.”
Google’s response
While the vulnerabilities stem from a misunderstanding of the system:authenticated group, Google has made changes (detailed in this security bulletin) in GKE version 1.28 it said are designed to reduce the risk of “users making authorisation errors with the Kubernetes built-in users and groups, including system:anonymous, system:authenticated, and system:unauthenticated”.
These actions include blocking new bindings of the highly privileged admin role to those groups.
Orca also discovered that a Sys:All attack left almost no trails, so Google has added detection rules into its security command centre, along with adding prevention rules to the policy controller.