Researchers have recently disclosed a significant security vulnerability impacting Microsoft Azure Kubernetes Services (AKS), which could lead to serious privilege escalation and unauthorized access to cluster secrets. The flaw, identified as a TLS bootstrap attack, affects AKS clusters configured with Azure CNI and Azure Network Policy. By exploiting this vulnerability, an attacker with command execution capabilities within a pod can download configuration files used to provision cluster nodes, potentially leading to the extraction of sensitive TLS bootstrap tokens.
The attack leverages a component known as Azure WireServer to retrieve a key that encrypts protected settings. This key is then used to decode a provisioning script that includes crucial secrets such as TLS keys, certificates, and authentication tokens. The extracted TLS_BOOTSTRAP_TOKEN can enable an attacker to perform a bootstrap attack and gain access to all secrets within the cluster. Although the compromised account typically has minimal Kubernetes permissions, it can still list nodes and escalate privileges to access more sensitive data.
Microsoft has responded to the disclosure by addressing the issue through updates to Azure Kubernetes Services. However, researchers from Mandiant recommend that organizations implement restrictive NetworkPolicies to mitigate the risk of such attacks. This approach involves limiting access to only the necessary services, which can effectively prevent unauthorized access and protect against similar privilege escalation vulnerabilities.
This disclosure follows other recent security findings, including a high-severity vulnerability in the ingress-nginx controller and a design flaw in the Kubernetes git-sync project. These issues highlight the ongoing challenges in securing Kubernetes environments and underscore the importance of regular security audits and robust defense mechanisms. Organizations using Azure Kubernetes Services are urged to review their configurations and security policies to ensure comprehensive protection against these emerging threats.
Reference:
