The IB company Orca Security has uncovered a vulnerability in Google Kubernetes Engine (GKE) that could potentially allow attackers with a Google account to gain control of a Kubernetes cluster. This vulnerability, named SYS: all, is estimated to affect approximately 250,000 active GKE clusters.
According to a report by Orca Security, the issue stems from a common misunderstanding about the system: authenticated group in GKE. The system: authenticated group is a special group that includes all authenticated objects, such as users and service accounts. However, many mistakenly believe that this group only comprises trusted users when in reality, it encompasses any Google account. This misconception can have severe consequences as administrators may unknowingly grant this group excessive privileges.
External attackers who possess a Google OAuth 2.0 token can exploit this vulnerability to gain control of a cluster and use it for various malicious purposes, including cryptomining and denial of service (DOS) attacks.
DOS, short for Disk Operating System, was a popular operating system for personal computers in the 1980s and early 1990s. It was designed to manage operations involving hard drives and other data storage devices, like floppy disks. DOS operated through a command line interface, allowing users to enter commands to perform various tasks such as running applications, navigating the file system, creating and deleting files, and formatting disks.