medium

Autopilot node compromise via allowlisted workload masquerade

Published Tue, Mar 8th, 2022

Platforms

Summary

Unit 42 researchers disclosed several vulnerabilities and attack techniques in GKE Autopilot to Google, the root cause being insufficient verification of allowlisted workload image names. An attacker with permissions to create a pod could have abused these vulnerabilities to (1) escape their pod and compromise the underlying node, (2) escalate privileges and become full cluster administrators, and (3) covertly persist administrative access through backdoors that are completely invisible to cluster operators.

Affected Services

Autopilot

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://unit42.paloaltonetworks.com/gke-autopilot-vulnerabilities/https://cloud.google.com/support/bulletins https://cloud.google.com/anthos/clusters/docs/security-bulletins

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Tue, Jun 1st, 2021

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Yuval Avrahami, Palo Alto

More vulnerabilities...

critical

AutoWarp

An exposed endpoint in the Azure Automation Service allowed to steal Azure API credentials from other customers

Yanir Tsarimi, Orca SecurityMar 7, 2022

medium

Google Cloud Armor packet size bypass

Cloud Armor has a documented limitation of 8 KB as the maximum size of web request that it will inspect. The default behavior of Cloud Armor in this case can allow oversized malicious requests to b...

Karan Saini, Riyaz Walikar,...Feb 24, 2022

low

Cognito User Group spoofing

Opsmorph discovered an improper access control vulnerability in authorization logic common in applications built on AWS. The vulnerability means a user with permission to create a new Cognito User...

opsmorphFeb 15, 2022

View all