2 min Security

Microsoft Azure Kubernetes Service was exploitable for hackers

Microsoft Azure Kubernetes Service was exploitable for hackers

Microsoft’s Azure Kubernetes Service (AKS) has been hit by a critical privilege escalation vulnerability, Mandiant recently discovered. Hackers may have been able to access login credentials for services in the service’s Kubernetes clusters.

According to Mandiant, the privilege escalation vulnerability was found in AKS clusters that used Azure CNI for their network configuration and ticked the box for “Azure” for their network policy. Hackers with command execution rights for a pod in the affected AKS cluster were able to download the configuration to set up the cluster node.

In addition, they could steal the security bootstrap tokens for the transport layer and perform a TLS bootstrap attack to read all secrets within the affected cluster.

Relationship to Azure WireServer

The newly found vulnerability is related to Azure WireServer. This is an undocumented component of Azure that uses the platform for various things internally. The key used for the protected setting values can be accessed from within WireServer, researchers discovered based on previous research by CyberCX.

Hackers who have command execution privileges from an affected AKS cluster can exploit this vulnerability to download the node’s configuration details. That includes the TLS bootstrap tokens used during the initial startup of a Kubernetes node.

Because of access to the WireServer and a ‘HostGAPlugin’ endpoint, attackers were then able to retrieve and decrypt the settings for multiple extensions. An example is the ‘custom script expension’ service used to provision a VM, which was configurable by hackers.

New unexpected security issues

Microsoft fixed the problem before details of the vulnerability were disclosed. Experts nevertheless indicate that complex modern cloud environments can still present unexpected security problems like this one.

Creating these new cloud environments, they say, further expands the attack surface. Often these dangers are not immediately obvious. Therefore, every possible entry point must now be considered, even those whose existence is previously unknown.

Measures to be taken

In the case of the privilege escalation vulnerability found in AKS, experts warn that companies should immediately check all AKS configurations, especially those using “Azure CNI” for network configuration and “Azure” for network policies.

Furthermore, they should modify all Kubernetes secrets, implement strict security measures for pods and set up robust logging and monitoring to detect suspicious activity.

Also read: Kubernetes 1.31 steers towards a more cloud-neutral future