medium

GKE and EKS CAP_NET_RAW metadata service MITM root privilege escalation

Published Mon, Jun 15th, 2020

Platforms

Summary

An attacker with access to a hostNetwork=true container with CAP_NET_RAW capability can listen to all the traffic going through the host and inject arbitrary traffic, allowing to tamper with most unencrypted traffic (HTTP, DNS, DHCP, ...), and disrupt encrypted traffic. In GKE the host queries the metadata service at http://169[.]254.169.254 to get information, including the authorized SSH keys. By manipulating the metadata service responses and injecting our own SSH key, it is possible to gain root privilege on the host.

Affected Services

GKE, EKS

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://blog.champtar.fr/Metadata_MITM_root_EKS_GKE/

Contributed by https://github.com/ramimac

Entry Status

Finalized

Disclosure Date

Mon, Jun 15th, 2020

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Etienne Champetier

More vulnerabilities...

high

RCE in Google Cloud Deployment Manager

An RCE in Google Cloud Deployment Manager could have allowed an attacker to make requests to internal Google services, authenticated as a privileged service account.

Ezequiel PereiraMay 21, 2020

low

GuardDuty detection bypass via cloudtrail

GuardDuty detected CloudTrail being outright disabled, but did not detect if an attacker with the necessary permissions filtered out all events from CloudTrail via PutEventSelectors, resulting in d...

Spencer Gietzen, Rhino Secu...Apr 23, 2020

low

GCP Cloudshell Cross-Site WebSocket Hijacking (CSWSH)

Google Cloudshell leveraged websockets without validating that the origin matched the current instance host. An attacker could therefore host a CSWSH attack on a Cloudshell instance they own, disab...

PsiMar 11, 2020

View all