Google patches flaws in their Kubernetes Engine that can be chained for cluster takeover
Take action: A very specific set of flaws, which requires initial compromise of your Google Kubernetes Engine cluster (or a malicious insider). No need to panic, but it's wise to be aware of the issues and include them in your maintenance.
Learn More
Palo Alto Networks, has reported that combining two vulnerabilities found in Google Kubernetes Engine (GKE) could allow an attacker, who already has access to a Kubernetes cluster, to escalate privileges and gain full control of the cluster.
The vulnerabilities are located in FluentBit, the default log processing agent in GKE since March 2023, and in Anthos Service Mesh (ASM), an optional component for managing inter-service communications. FluentBit operates as a DaemonSet, and ASM is based on the open-source Istio Service Mesh project.
These vulnerabilities, individually very low risk can be chained together for an exploit, especially if an attacker can execute code in the FluentBit container or escape from another container. Such exploitation would enable unauthorized access and control over the Kubernetes cluster, potentially leading to data theft, deployment of malicious pods, and disruption of cluster operations.
An attacker can exploit the FluentBit vulnerability to locate the Istio container, then leverage ASM CNI DaemonSet’s excessive permissions to create a ‘powerful’ pod. This allows them to target a service account with high privileges and act as a cluster administrator.
Google responded on December 14 with patches for these issues and recommended that users manually update their clusters and node pools. Google is urging users to manually update their clusters and node pools. GKE versions 1.25.16-gke.1020000, 1.26.10-gke.1235000, 1.27.7-gke.1293000, and 1.28.4-gke.1083000, and ASM versions 1.17.8-asm.8, 1.18.6-asm.2, and 1.19.5-asm.4 resolve the bugs.
