Summary
Azure Arc allows customers to connect on-premises Kubernetes clusters to Azure.
This is facilitated by middleware (the Azure Arc-enabled Kubernetes agent) which
includes a "cluster connect" feature in the form of a reverse proxy. A vulnerability
in this feature could allow an unauthenticated user to elevate their privileges
and potentially gain remote administrative control over any Azure Arc-enabled
cluster, as long as they know its randomly generated external DNS endpoint.
Azure Stack Edge devices are also affected, because the service supports
deployment of Kubernetes workloads via Azure Arc.
Affected Services
Azure Arc, Azure Stack Edge
Remediation
For Azure Arc customers using auto-upgrade (which is enabled by default),
no action is required. Otherwise, the Azure Arc-enabled Kubernetes agent
must be updated to versions 1.5.8, 1.6.19, 1.7.18 or 1.8.11 (see link to
instructions in references). Azure Stack Edge customers must update to
the 2209 release (software version 2.2.2088.5593).
Tracked CVEs
CVE-2022-37968
References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37968https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/agent-upgradehttps://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/conceptual-cluster-connect
Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
Tue, Oct 11th, 2022
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Mo Khan, Microsoft
