Google LLC’s Mandiant has released details of a critical privilege escalation vulnerability in Microsoft Corp.’s Azure Kubernetes service. Although it has since been patched by Microsoft, it could have allowed attackers to access credentials for services used in Kubernetes clusters.

The privilege escalation vulnerability was found in Azure Kubernetes Services clusters that use “Azure CNI” for “Network Configuration” and “Azure” for “Network Policy”. An attacker with command execution in a pod running inside an affected Azure Kubernetes Services cluster could download the configuration used to provision the cluster node, extract the Transport Layer Security bootstrap tokens, and perform a TLS bootstrap attack to read all secrets inside the cluster.

The vulnerability is related to Azure WireServer, an undocumented component of Azure used internally by the platform for several reasons. Based on previous research by CyberCX published in May 2023, Mandiant researchers found that the key used to encrypt protected setting values ​​can be requested from the WireServer.

An attacker with command execution privileges on an affected AKS cluster could then have exploited the flaw to download the configuration details for the node, including the TLS bootstrap tokens used during the initial setup of a Kubernetes node.

With access to the WireServer and HostGAPlugin endpoints, an attacker could retrieve and decrypt the settings of a number of extensions, including the Custom Script Extension, a service that provides a virtual machine with its initial configuration.

The issue was fixed by Microsoft before the details were made public, but the vulnerability raises broader questions about security in both Kubernetes and Azure.

“The vulnerability recently discovered in Azure Kubernetes Services is a prime example of how complex modern cloud environments can create unexpected security risks,” Guy Rosenthal, vice president of product at security solutions provider DoControl Inc., told SiliconANGLE. “This isn’t just a simple configuration error – it’s a sophisticated attack that exploits undocumented Azure components to gain elevated privileges within a Kubernetes cluster.”

“Although Microsoft has fixed this specific issue, it highlights a broader challenge for cloud security,” Rosenthal explains. “As we build more complex, interconnected systems, we also create new attack surfaces that may not be immediately obvious. It’s not enough to just secure the front door – we need to think about every possible entry point, even those we didn’t know existed.”

Callie Guenther, senior manager of cyber threat research at managed detection and response company Critical Start Inc., commented: “Although Microsoft has patched the issue, security teams need to immediately review their AKS configurations, especially if they use ‘Azure CNI’ for network configuration and ‘Azure’ for network policies.

Security teams “should also rotate all Kubernetes secrets, enforce strict pod security policies, and implement robust logging and monitoring measures to detect suspicious activity,” Guenther added. “While this vulnerability is severe and requires immediate action, it is a stage two attack, meaning it requires prior access to a pod, and should therefore be prioritized accordingly in the broader context of an organization’s threat landscape.”

Image: SiliconANGLE/Ideogram