GCP-2023-047

Google Cloud Platform Security Advisory

Published: 2023-12-14

GKE

DescriptionSeverity

An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster. The issues with Fluent Bit and Anthos Service Mesh have been mitigated and fixes are now available. These vulnerabilities are not exploitable on their own in GKE and require an initial compromise. We are not aware of any instances of exploitation of these vulnerabilities.

These issues were reported through our Vulnerability Reward Program.

What should I do?

The following versions of GKE have been updated with code to fix these vulnerabilities in Fluent Bit and for users of managed Anthos Service Mesh. For security purposes, even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and node pools to one of the following GKE versions or later:

  • 1.25.16-gke.1020000
  • 1.26.10-gke.1235000
  • 1.27.7-gke.1293000
  • 1.28.4-gke.1083000

A recent feature of release channels allows you to apply a patch without having to unsubscribe from a channel. This lets you secure your nodes until the new version becomes the default for your specific release channel

If your cluster uses in-cluster Anthos Service Mesh, you must manually upgrade to one of the following versions (release notes):

  • 1.17.8-asm.8
  • 1.18.6-asm.2
  • 1.19.5-asm.4

What vulnerabilities are being addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to compromise the Fluent Bit logging container. We are not aware of any existing vulnerabilities in Fluent Bit that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future

GKE uses Fluent Bit to process logs for workloads running on clusters. Fluent Bit on GKE was also configured to collect logs for Cloud Run workloads. The volume mount configured to collect those logs gave Fluent Bit access to Kubernetes service account tokens for other Pods running on the node. The researcher used this access to discover a highly privileged service account token for clusters that have Anthos Service Mesh enabled.

Anthos Service Mesh required high privileges to make necessary modifications to a cluster’s configuration including the ability to create and delete Pods. The researcher used Anthos Service Mesh’s privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges

We have removed Fluent Bit’s access to the service account tokens and have redesigned the functionality of Anthos Service Mesh to remove excess privileges.

Medium

GKE on VMware

DescriptionSeverity

Only GKE on VMware clusters using Anthos Service Mesh are affected.

What should I do?

If your cluster uses in-cluster Anthos Service Mesh, you must manually upgrade to one of the following versions (release notes):

  • 1.17.8-asm.8
  • 1.18.6-asm.2
  • 1.19.5-asm.4

What vulnerabilities are addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future.

Anthos Service Mesh required high privileges to make necessary modifications to a cluster’s configuration including the ability to create and delete Pods. The researcher used Anthos Service Mesh’s privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges.

We have redesigned the functionality of Anthos Service Mesh to remove excessive privileges.

Medium

GKE on AWS

DescriptionSeverity

Only GKE on AWS clusters using Anthos Service Mesh are affected.

What should I do?

If your cluster uses in-cluster Anthos Service Mesh, you must manually upgrade to one of the following versions (release notes):

  • 1.17.8-asm.8
  • 1.18.6-asm.2
  • 1.19.5-asm.4

What vulnerabilities are addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future.

Anthos Service Mesh required high privileges to make necessary modifications to a cluster’s configuration including the ability to create and delete Pods. The researcher used Anthos Service Mesh’s privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges.

We have redesigned the functionality of Anthos Service Mesh to remove excessive privileges.

Medium

GKE on Azure

DescriptionSeverity

Only GKE on Azure clusters using Anthos Service Mesh are affected.

What should I do?

If your cluster uses in-cluster Anthos Service Mesh, you must manually upgrade to one of the following versions (release notes):

  • 1.17.8-asm.8
  • 1.18.6-asm.2
  • 1.19.5-asm.4

What vulnerabilities are addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future.

Anthos Service Mesh required high privileges to make necessary modifications to a cluster’s configuration including the ability to create and delete Pods. The researcher used Anthos Service Mesh’s privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges.

We have redesigned the functionality of Anthos Service Mesh to remove excessive privileges.

Medium

GKE on Bare Metal

DescriptionSeverity

Only GKE on Bare Metal clusters using Anthos Service Mesh are affected.

What should I do?

If your cluster uses in-cluster Anthos Service Mesh, you must manually upgrade to one of the following versions (release notes):

  • 1.17.8-asm.8
  • 1.18.6-asm.2
  • 1.19.5-asm.4

What vulnerabilities are addressed by this patch?

The vulnerabilities addressed by this bulletin require an attacker to first either compromise or otherwise break out of a container or have root on a cluster Node. We are not aware of any existing vulnerabilities that would lead to this prerequisite condition for privilege escalation. We have patched these vulnerabilities as hardening measures to prevent a potential full attack chain in the future.

Anthos Service Mesh required high privileges to make necessary modifications to a cluster’s configuration including the ability to create and delete Pods. The researcher used Anthos Service Mesh’s privileged Kubernetes service account token to escalate their initial compromised privileges by creating a new pod with cluster-admin privileges.

We have redesigned the functionality of Anthos Service Mesh to remove excessive privileges.

Medium

CLICK FOR MORE INFORMATION