Summary
The system:authenticated group in Kubernetes is a special group that includes all authenticated entities, including human users and service accounts. Anyone who successfully authenticates to the Kubernetes API server, regardless of the authentication method used, will be automatically included in this unique group. Thus, it will share the same roles and permissions of the group. This misunderstanding then creates a significant security loophole when administrators unknowingly bind this group with overly permissive roles.
Affected Services
GKE
Remediation
In addition to upgrading to GKE version 1.28 or higher, the main way to block this attack vector is to strictly follow the principle of least privilege. In that sense, assigning broad permissions to the system:authenticated group, whether it is deterministic or not, is a clear breach of this principle. Organizations should always aim for granularity.
Tracked CVEs
No tracked CVEs
References
https://orca.security/resources/blog/sys-all-google-kubernetes-engine-risk/#h-recommended-actionshttps://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2024-003
Contributed by https://github.com/KatTraxler
Entry Status
-
Disclosure Date
Fri, Jan 19th, 2024
Exploitablity Period
Ongoing
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Roi Nisimi, Orca
