Exploiting the Opportunity: Google Kubernetes Flaw Allowing Gmail Accounts to Take Control of Your Clusters

Cybersecurity researchers have recently uncovered a critical vulnerability affecting Google Kubernetes Engine (GKE), presenting a potential risk for threat actors with a Google account to exploit and gain control over Kubernetes clusters. This security flaw, labeled as Sys:All by cloud security firm Orca, has the potential to impact around 250,000 active GKE clusters in the wild.

the vulnerability arises from a widespread misconception about the system:authenticated group in Google Kubernetes Engine. Contrary to the belief that it includes only verified and deterministic identities, it, in fact, encompasses any Google-authenticated account, even those outside the organization.

The system:authenticated group is a special group that includes all authenticated entities, such as human users and service accounts. This becomes a critical issue when administrators unintentionally assign overly permissive roles to this group.

Essentially, an external threat actor with a Google account can exploit this misconfiguration by utilizing their Google OAuth 2.0 bearer token to seize control of the Kubernetes cluster. This opens the door to various malicious activities, including lateral movement, cryptomining, denial-of-service…