Cybersecurity researchers have identified a vulnerability in Google Kubernetes Engine (GKE) that could allow threat actors with a Google account to take control of a Kubernetes cluster. This vulnerability, named Sys:All, affects an estimated 250,000 active GKE clusters. The issue arises from the misconception that the system:authenticated group in GKE includes only verified identities, when in fact it includes any Google authenticated account. Attackers in possession of a Google account could exploit this misconfiguration to gain control of the cluster and carry out various malicious activities such as lateral movement, cryptomining, and data theft. The attack does not leave a trace that can be linked back to the Gmail or Google Workspace account used. Google has taken steps to block the system:authenticated group from the cluster-admin role in GKE versions 1.28 and later, and recommends users not to bind the group to any RBAC roles. However, there are still other roles and permissions that can be assigned to the group, leaving the cluster vulnerable. While there have been no large-scale attacks using this method yet, users are advised to secure their cluster access controls.
Source link
