In recent years, Kubernetes has gained immense popularity as an open-source container orchestration platform, automating deployment, scaling, and management of containerized applications. To provide more security for containerized applications, Microsoft introduced Confidential Containers in Azure Kubernetes Service (AKS). This enables users to run their container workloads on a dedicated hardware layer, leveraging hardware-based trusted execution environments (TEE) to protect against breaches even from highly-privileged insiders.

In this post, we will discuss a critical vulnerability, identified as CVE-2024-21403, which affects Microsoft Azure Kubernetes Service Confidential Container environments. Exploiting this vulnerability could allow an attacker to elevate their privileges and perform unauthorized actions in the AKS environment. We will delve into the technical details of this vulnerability, provide code snippets to illustrate the issue, and discuss potential exploit scenarios. Finally, we'll link to the original references and patches addressing this security flaw.

Vulnerability Details

CVE-2024-21403 affects Microsoft Azure Kubernetes Service environments running Confidential Containers with hardware TEE support. The vulnerability lies in the insecure handling of cryptographic key material in the container platform, specifically in the implementation of hardware TEE attestation process. When a node is bootstrapped and registered to the Kubernetes cluster, certain hardcoded keys are used in the attestation process. The hardcoded keys are supposed to be replaced once the cluster is successfully established.

However, due to a bug in the implementation, the original keys remain in the system, providing an opportunity for an attacker with local access to the node to intercept the keys and create a malicious container with an escalated privilege level. They could then launch additional attacks on other containers, increasing their access to sensitive data and potentially causing severe damage to the environment.

Exploit Scenarios

To exploit this vulnerability, an attacker would first have to gain local access to an AKS node running a Confidential Container environment. This could be facilitated by finding other security weaknesses in the container environment, or by leveraging credentials inadvertently leaked to the attacker.

Once the attacker has local access, they would search for the hardcoded keys. The following code snippet demonstrates how an attacker can locate and extract the keys from the system:

import os

KEY_DIRS = ["/etc/azure/key_encryption_keys/", "/etc/kubernetes/secrets/"]

def find_and_extract_keys(key_dirs):
    found_keys = []
    for key_dir in key_dirs:
        for root, _, files in os.walk(key_dir):
            for file in files:
                if file.endswith(".pem"):
                    with open(os.path.join(root, file), "r") as key_file:
                        key_data = key_file.read()
                        found_keys.append((os.path.join(root, file), key_data))
    return found_keys

if __name__ == "__main__":
    found_keys = find_and_extract_keys(KEY_DIRS)
    for key_path, key_data in found_keys:
        print(f"Found key at {key_path}:\n{key_data}\n")

With the extracted keys, the attacker could create and deploy a malicious container, achieving a high level of access in the AKS environment. This would allow them to potentially steal sensitive data, compromise other containers, or disrupt cluster operations.

Mitigation and Original References

Microsoft has acknowledged CVE-2024-21403 and provided a patch to address the vulnerability. The patch ensures that keys are correctly replaced in the attestation process after cluster establishment, preventing attackers from exploiting the vulnerability.

Azure Kubernetes Service users are strongly advised to update their environments as per the guidance provided by Microsoft, which can be found in the following references:

1. Microsoft Security Advisory: CVE-2024-21403
2. Azure Kubernetes Service Documentation

In conclusion, CVE-2024-21403 is a critical vulnerability that affects Microsoft Azure Kubernetes Service environments, allowing attackers to leverage stored cryptographic keys to escalate their privileges and compromise Confidential Containers. It's crucial for organizations running AKS environments to apply the security patch provided by Microsoft and regularly update their software to protect against emerging threats.

Timeline

Published on: 02/13/2024 18:15:58 UTC
Last modified on: 02/13/2024 18:22:43 UTC