medium

GKE Authorized Networks bypass via Cloud Functions or Cloud Run

Published Tue, Jun 7th, 2022

Platforms

gcp

Summary

Executing Cloud Functions or Cloud Run in any project and in any organization allowed bypassing the GKE Authorized Networks (aka Kubernetes control plane firewalls) of a cluster in a different project or organization.

Affected Services

GKE

Remediation

Run the following command on existing clusters to block traffic to the GKE control plane from Google Cloud VMs or Cloud Run sourced with Google Cloud public IPs (the same flag can be used at cluster creation time as well): `gcloud container clusters update CLUSTER_NAME --no-enable-google-cloud-access`

Tracked CVEs

No tracked CVEs

References

https://cloud.google.com/blog/products/identity-security/updates-coming-for-authorized-networks-and-cloud-runfunctions-on-gkehttps://cloud.google.com/blog/products/containers-kubernetes/understanding-gkes-new-control-plane-connectivityhttps://twitter.com/itspeterc/status/1534205155914264576https://twitter.com/itspeterc/status/1578054948188819457

Contributed by https://github.com/mer-b

Entry Status

Finalized

Disclosure Date

Wed, Mar 9th, 2022

Exploitability Period

Until 2022/09/30

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

-

Discovered by

Peter Collins

More vulnerabilities...

low

MWAA logs leak tokens and hostnames

aws

Two API calls used by Amazon Managed Workflows for Apache Airflow (MWAA) to convert AWS IAM credentials into tokens that can be used to login to Airflow (CreateCliToken and CreateWebLoginToken) wer...

Ben Reser, Vibes
medium

ELB Cache mechanism HTTP header smuggling

aws

While testing rate-limiter protection, The researcher noticed that when forcing HTTP/1 requests and injecting a space after `X-Forwarded-For` he was able to override this specific header, letting ...

Andrea Brancaleoni, Brave
critical

Synlapse

azure

Azure Synapse Analytics and Azure Data Factory were vulnerable to cross-tenant access and code execution. This was made possible via a combination of (1) a shell injection RCE vulnerability in the ...

Tzah Pahima, Orca Security
View all