The security landscape of Google Kubernetes Engine (GKE) has been rattled by a significant vulnerability, exposing millions of containers to potential external threats. This exposure is attributed to a common misunderstanding regarding the permissions of an authentication group within GKE, which, as it turns out, could allow virtually anyone with a Google account to access private Kubernetes container clusters.

Orca Weighs In

This revelation was brought to light by Orca Security, who identified the issue named Sys:All. It stems from an erroneous assumption: when administrators grant privileges to the “system:authenticated” group in GKE, they often believe it includes only verified GKE users within their organization. In reality, this group encompasses any Google authenticated account, including those external to the organization.

This misinterpretation opens a significant security gap, particularly because similar groups in AWS and Azure do not function this way.

Orca’s probe into the issue was revealing. Utilizing a simple Python script, they scanned for GKE clusters and discovered 250,000 active ones. Among these, 1,300 were potentially vulnerable to Sys:All attacks, and 108 posed immediate compromise risks, allowing unauthorized actions like cluster-admin access or listing and modifying secrets.

This is NOT a Small Problem

The implications of this security oversight are vast. Kubernetes, being a widely used system for container management, becomes a lucrative target for threat actors. Incidents such as cryptomining, denial-of-service attacks, and sensitive data theft become real possibilities. The past has shown that such vulnerabilities in Kubernetes, even on other platforms like AWS, can lead to substantial security breaches.

In response to this, Google has implemented several measures, including restricting the binding of the system:authenticated group in newer versions of GKE (version 1.28 and onwards). The company is also notifying customers who might be vulnerable and planning further architectural changes. However, the issue remains a significant concern, as numerous other roles and permissions can still be assigned to the system:authenticated group.

Orca advises organizations with GKE clusters to adhere strictly to the principle of least privilege, granting only necessary privileges for specific roles and continuously monitoring these privileges. They also suggest using a cloud security platform for comprehensive protection and monitoring. Both of which we should all be doing anyway.

Microsoft – Are You Paying Attention?

Google, acknowledging the issue, is working closely with Orca Research to integrate their findings into their response strategy.

As part of their Vulnerability Rewards Program, and their acknowledgement and acceptance of the responsibility associated with market dominance, Google values the contributions of the security community and has issued a security bulletin outlining protective measures for affected GKE users.

Microsoft could take a lesson from their playbook.