GKE/Gmail vulnerability: notes and tips

New Google Kubernetes Engine misconfiguration vulnerability

· 1 MIN READ · JAMES MASKELONY · JAN 25, 2024 · TAGS: Alert / Cloud security / MDR

Security researchers have identified a common Google Kubernetes Engine misconfiguration. Here’s what you need to know.

Cybersecurity researchers have identified a dangerous Google Kubernetes Engine (GKE) misconfiguration that could allow attackers with a basic Gmail account to take control of a Kubernetes (k8s) cluster.

Per The Hacker News:

Cybersecurity researchers have discovered a loophole impacting Google Kubernetes Engine (GKE) that could be potentially exploited by threat actors with a Google account to take control of a Kubernetes cluster.

In a report shared with The Hacker News, security researcher Ofir Yakobi said it “stems from a likely widespread misconception that the system:authenticated group in Google Kubernetes Engine includes only verified and deterministic identities, whereas in fact, it includes any Google authenticated account (even outside the organization).”

The researchers estimate that as many as 250,000 active GKE clusters may be at risk.

Misconfiguration is the #1 problem plaguing Kubernetes environments. One study found that 78% of k8s clusters have medium-to-high security concerns, and in a 2023 Red Hat survey, 37% of participants said they experienced revenue or customer losses resulting from a container/Kubernetes security incident.

With Kubernetes constantly growing in popularity and adoption, adversaries are scrambling for any and all weak spots to exploit and misconfigurations are a siren’s call to them. The Google Kubernetes Engine (GKE)/Gmail misconfiguration is a good reminder to review the role bindings in your environment.

Specifically, security teams should be on the lookout for users and groups like system:anonymous, system:unauthenticated, and (if you use GKE) system:authenticated. If any roles other than system:public-info-viewer are bound to those, you’ll want to ensure they’re necessary and then scope your environment to make sure attackers haven’t abused those permissions/roles.

If you’re trying to scope your environment for attacker activity, we have good news. Expel recently released a Kubernetes mind map and cheat sheet that maps common hacker tactics along nine areas of MITRE ATT&CK activity and identifies the API calls and actions they make to execute on these techniques. We also throw in some of our own tips and tricks for investigating an incident that’s related to any of these tactics.

If you have questions about this misconfiguration—or Kubernetes security generally—we’re happy to talk.