Azure Cloud Shell and Container Instances breakout
Published Mon, Feb 15th, 2021
Platforms
Summary
An attacker could gain root privileges on their Azure Cloud Shell container, escape from the container, and then gain root privileges on the underlying node, the root cause being an insecure kubelet port (10250), among other cluster misconfigurations. Once they could access the node filesystem, an attacker could extract kubelet API credentials which allowed listing all pods and nodes in the cluster, including those belonging to other tenants. Moreover, an attacker could bypass RBAC policies in the cluster by deploying a pod with the "NodeSelector" flag, and thereby escalate their privileges to root on other tenants' containers (the same issue affected Azure Container Instances).
Affected Services
Cloud Shell, Container Instances
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/yuvalavra
Entry Status
Finalized
Disclosure Date
Mon, Jan 20th, 2020
Exploitability Period
until January 30th, 2020
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
Chen Cohen, eBay
