Vulnerability

Escalating Privileges in Azure Kubernetes Services: A Critical Threat Exposed

On August 19, 2024, Mandiant released a report uncovering a critical privilege escalation vulnerability within Microsoft Azure Kubernetes Services (AKS).

The original image was generated by OpenAI's DALL-E and edited by the author. Source: OpenAI (August 2024)

Introduction

On August 19, 2024, Mandiant released a detailed report uncovering a critical privilege escalation vulnerability within Microsoft Azure Kubernetes Services (AKS). This flaw allowed attackers with access to a vulnerable AKS cluster to escalate privileges and obtain sensitive credentials used by the cluster. The potential consequences of exploiting this vulnerability include data theft, financial loss, and significant reputational damage. Although Microsoft has since patched the issue, the report sheds light on the broader security implications and necessary steps to prevent such threats in the future.

Report Overview

Kubernetes, a popular container orchestration platform, presents significant challenges when it comes to hardening security. Ensuring authentication for internal services, enforcing granular NetworkPolicies, and restricting unsafe workloads with Pod Security have become essential practices to prevent post-exploitation activities. However, AKS clusters using "Azure CNI" for "Network configuration" and "Azure" for "Network Policy" were found vulnerable to a serious privilege escalation attack. This vulnerability was disclosed by Mandiant to Microsoft through the Microsoft Security Response Center (MSRC) vulnerability disclosure program, leading to a fix from Microsoft.

The discovered vulnerability allowed an attacker with command execution within a Pod running on an affected AKS cluster to download the configuration used for provisioning the cluster node. From there, the attacker could extract Transport Layer Security (TLS) bootstrap tokens and perform a TLS bootstrap attack, granting access to all secrets within the cluster. Notably, this attack did not require the Pod to be running with hostNetwork set to true or running as root, making it particularly dangerous.

The core issue lies in how Kubernetes Nodes are bootstrapped. The kubelet, which runs on Kubernetes Nodes, requires a TLS certificate signed by the control plane's Certificate Authority (CA) to function securely. Attackers exploited the metadata server, accessible at http://169.254.169.254 across cloud providers, to obtain the static token used to provision VMs. With this token, they could authenticate as a legitimate VM within the cluster, request new kubelet certificates, and subsequently compromise the entire Kubernetes cluster.

The implications of this vulnerability are severe. An attacker could gain access to sensitive data, disrupt services, and potentially cause widespread harm to an organization. The risk extends beyond just the compromised cluster, as it could lead to further network infiltration, data breaches, and loss of trust from customers and partners. The need for stringent security practices and proactive threat monitoring in cloud environments is underscored by this incident.

Insights and Analysis

Mandiant's report emphasizes the critical need for proper security configurations in Kubernetes environments, particularly in managed services like Azure Kubernetes Services. They stress the importance of enforcing NetworkPolicies to limit access to essential services, thereby preventing unauthorized access to critical components like the metadata server.

To mitigate the risks associated with this vulnerability, organizations should adopt a process of creating restrictive NetworkPolicies that allow access only to required services. Ensuring that services like the metadata server are inaccessible from Pods can prevent similar privilege escalation attacks. Furthermore, ongoing security assessments and regular updates to Kubernetes clusters are essential to safeguard against emerging threats.

In summary, the discovery of this vulnerability in Azure Kubernetes Services highlights the importance of maintaining robust security practices in cloud environments. By implementing proactive measures and staying informed about potential threats, organizations can better protect themselves from the significant risks posed by such vulnerabilities.

Indicators of Compromise (IOCs)

Indicator	Type	Description
`169.254.169.254`	IP Address	IP address of the metadata server accessed during exploitation.
`http://168.63.129.16/machine/?comp=goalstate`	URL	URL accessed to retrieve encrypted settings from Azure WireServer.
`TLS_BOOTSTRAP_TOKEN`	Token	TLS bootstrap token used for authentication in the attack.

MITRE ATT&CK Framework Mapping

Tactic	Technique	ID	Description
Credential Access	Exploitation for Credential Access	T1212	The attacker exploited vulnerabilities to access sensitive credentials such as TLS bootstrap tokens.
Defense Evasion	Abuse Elevation Control Mechanism	T1548.003	The attacker used TLS bootstrap tokens to evade detection and perform actions under the guise of legitimate Kubernetes nodes.
Persistence	Valid Accounts	T1078	The attacker could maintain persistence by creating legitimate credentials (e.g., kubelet certificates) after obtaining the TLS bootstrap tokens.