A critical vulnerability in an Azure tool that lets users manage Kubernetes clusters can be exploited remotely without authentication to gain administrative control over Kubernetes clusters, as well as Azure edge devices.
The vulnerability, allocated a maximum possible CVSS (severity rating) score of 10 has been allocated CVE-2022-37968. It is in Azure Arc, a management platform for hybrid cloud and multi cloud deployments.
The vulnerability was reported internally at Microsoft and has not been seen exploited in the wild. But the rapidity with which threat actors are reverse engineering patches to understand vulnerabilities and how to exploit them means that rapid mitigation – particularly given the CVSS rating – should be a priority.
The vulnerability could be exploited locally by an attacker with low privileges to gain full admin rights, or, as Microsoft noted in its Patch Tuesday advisory, any attacker “who knows the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster can exploit this vulnerability from the internet.”
Microsoft added: “Successful exploitation of this vulnerability, which affects the cluster connect feature of Azure Arc-enabled Kubernetes clusters, allows an unauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster. Azure Stack Edge allows customers to deploy Kubernetes workloads on their devices via Azure Arc; therefore Azure Stack Edge devices are also vulnerable.”
The vulnerability was one of 85 new patches addressing CVEs in a host of Microsoft products including Active Directory Domain Services and Active Directory Certificate Services; Nu Get Client; Hyper-V; and the Windows Resilient File System (ReFS) as part of this month’s Patch Tuesday series of security fixes from Redmond.
As bug bounty platform the Zero Day Initiative notes: “What may be more interesting is what isn’t included in this month’s release. There are no updates for Exchange Server, despite two Exchange bugs being actively exploited for at least two weeks. These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed. This adds the Exchange Emergency Mitigation service. This automatically installs available mitigations and sends diagnostic data to Microsoft. Otherwise, follow this post from Microsoft with the latest information. Their mitigation advice has changed multiple times, so you’ll need to make sure you check it often for updates…”
With regard to the CVSS 10 Azure Arc vulnerability, Microsoft told customers that those using Azure Arc-enabled Kubernetes clusters upgrade to agent versions 1.5.8 and above, 1.6.19 and above, 1.7.18 and above, or 1.8.11 and above. The default setting for the service is to have automatic updates on and customers who have already upgrated to version 1.8.14 are already protected from this vulnerability.
Exploits involving container orchestration platform Kubernetes have started to emerge more regularly as it becomes a critical part of cloud-native, containerised enterprise workflows. A severe vulnerability reported earlier this year, for example, lets an attacker escape a Kubernetes container and gain root access to the host.
Allocated CVE-2021-0811 and reported by CrowdStrike, the CVSS 8.8 bug is in CRI-O, a container runtime engine and alternative to containerd or Docker that many Kubernetes users rely on to share each node’s kernel and resources with the various containerised applications running on it. CrowdStrike (dubbing it “cr8escape”) published a detailed proof-of-concept (POC) of exploitation as Kubernetes services providers from Red Hat to Oracle and beyond that relied on the runtime engine scrambled to patch the vulnerability.