Security Flaw Discovered: Researchers have identified a vulnerability in Microsoft Azure Kubernetes Services (AKS) that could allow attackers to escalate privileges and access cluster credentials.
Attack Method:
- Exploits involve downloading cluster node configuration and extracting TLS bootstrap tokens.
- Attackers can use these tokens to perform a TLS bootstrap attack and access all secrets in the cluster.
Affected Components:
- Clusters using Azure CNI for network configuration and Azure for network policy are impacted.
- The flaw allows access to sensitive information such as TLS keys and certificates, which can be decoded and used to authenticate to the cluster.
Mitigation:
- Implementing restrictive NetworkPolicies can prevent this type of attack by limiting access to necessary services.
Additional Vulnerabilities:
- A separate high-severity flaw (CVE-2024-7646) in ingress-nginx could allow unauthorized access through annotation validation issues.
- A design flaw in Kubernetes git-sync could lead to command injection and data exfiltration if not properly audited.
Action Required: Organizations should review and secure their configurations, and audit git-sync pods to prevent exploitation.