The issue affected Google Kubernetes Engine (GKE), a system used to deploy, scale and manage how applications are “containerized.” GKE — the tech giant’s implementation of the open-source Kubernetes project — is used widely in healthcare, education, retail and financial services for data processing as well as artificial intelligence and machine learning operations.

Researchers from Orca Security explained that they uncovered an issue in GKE that “could allow an attacker with any Google account to take over a misconfigured Kubernetes cluster, potentially leading to serious security incidents such as cryptomining, denial of service, and sensitive data theft.”

  • AndrasKrigare@beehaw.org
    link
    fedilink
    arrow-up
    15
    ·
    9 months ago

    misconfigured

    Makes me skeptical this is a real “loophole”

    The issue revolves around permissions, with GKE allowing users access to the system with any valid Google account. Orca Security said this creates a “significant security loophole when administrators decide to bind this group with overly permissive roles.”

    Orca Security noted that Google considers this to be “intended behavior” because in the end, this is an assigned permission vulnerability that can be prevented by the user. Customers are responsible for the access controls they configure.

    The researchers backed Google’s assessment that organizations should “take responsibility and not deploy their assets and permissions in a way that carries security risks and vulnerabilities.”

    Yeah, PEBKAC

    • conciselyverbose@kbin.social
      link
      fedilink
      arrow-up
      8
      ·
      9 months ago

      We have identified several clusters where users have granted Kubernetes privileges to the system:authenticated group

      lol if that’s the whole thing, blaming Google is laughable, unless they default to that somewhere or have faulty documentation. That’s not a security flaw with their tools.

      • V ‎ ‎ @beehaw.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        Over the past five years infosec has turned into a shitshow of showboating. Every exploit has to have a logo and catchy name. Attacks are widely hyped up despite the conditions for usage being extremely difficult or outright stupid. If you are assigning blanket permissions to a group that shouldn’t have it that is your fault. Obstructing stupidity is not in the scope of the container engine.