A Google Kubernetes Engine bug leaves any cluster vulnerable to takeover from ANY Google account. Misunderstood authentication exposes sensitive data and forces Google to roll out fixes.
Cloud security firm Orca researchers have discovered that a widespread misunderstanding of a key authentication parameter in Google Kubernetes Engine leaves clusters at risk of takeover.
Orca Security has presented two detailed technical explanations of the issue here and here.
The summary is simple: the takeover can be exploited by “an attacker with any Google account.”
“The loophole, which we dubbed Sys: All, stems from a likely widespread misconception that the system: authenticated group in Google Kubernetes Engine (GKE) includes only verified and deterministic identities, whereas it includes any Google-authenticated account (including outside the organization),” Orca explained.
“This misunderstanding creates a significant security loophole when administrators unknowingly bind this group with overly permissive roles.”
The Sys: All names indicate that if someone can exploit the authentication mechanism, they get extensive access to the target cluster.
“These misconfigurations led to the exposure of various sensitive data types, including JWT tokens, GCP API keys, AWS keys, Google OAuth credentials, and private keys,” Orca wrote.
They gave the example of an unnamed “publicly traded company where this misconfiguration resulted in extensive unauthorized access, potentially leading to system-wide security breaches.”
Google’s response
While the vulnerabilities stem from a misunderstanding of the system: authenticated group, Google has made changes (detailed in this security bulletin) in GKE version 1.28 it said are designed to reduce the risk of “users making authorization errors with the Kubernetes built-in users and groups, including system: anonymous, system: authenticated, and system: unauthenticated”.
These actions include blocking new bindings of the highly privileged admin role to those groups.
Orca also discovered that a Sys: All attack left almost no trails, so Google has added detection rules to its security command center and prevention rules to the policy controller.
