Aug 19 2024

Azure Kubernetes Services Vulnerability Let Attackers Escalate Privileges

Category: Least Privilege,Security vulnerabilitiesdisc7 @ 9:34 pm

The configuration contained transport layer security (TLS) bootstrap tokens that the attacker could extract and use to perform a TLS bootstrap attack. This would grant the attacker the ability to read all secrets within the cluster.

Notably, the attack did not require the compromised Pod to be running with hostNetwork enabled or as the root user. This significantly expanded the attack surface.

The attack involved accessing the undocumented Azure WireServer component at http://168.63.129.16/machine/?comp=goalstate and the HostGAPlugin endpoint at http://168.63.129.16:32526/vmSettings.

The attacker could retrieve a key from the WireServer to decrypt protected settings values. They could then request the JSON document from HostGAPlugin, parse it, and Base64 decode it to obtain the encrypted provisioning script (protected_settings.bin).

Using the WireServer key, the attacker could decrypt protected_settings.bin to access the cluster’s provisioning script (cse_cmd.sh). This script contained several secrets as environment variables, including:

  • KUBELET_CLIENT_CONTENT – Generic Node TLS Key
  • KUBELET_CLIENT_CERT_CONTENT – Generic Node TLS Certificate
  • KUBELET_CA_CRT – Kubernetes CA Certificate
  • TLS_BOOTSTRAP_TOKEN – TLS Bootstrap Authentication Token

Exploiting the Vulnerability

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Azure Kubernetes

Leave a Reply

You must be logged in to post a comment. Login now.