this post was submitted on 24 Jan 2024
46 points (100.0% liked)

Technology

37723 readers
534 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

The issue affected Google Kubernetes Engine (GKE), a system used to deploy, scale and manage how applications are “containerized.” GKE — the tech giant’s implementation of the open-source Kubernetes project — is used widely in healthcare, education, retail and financial services for data processing as well as artificial intelligence and machine learning operations.

Researchers from Orca Security explained that they uncovered an issue in GKE that “could allow an attacker with any Google account to take over a misconfigured Kubernetes cluster, potentially leading to serious security incidents such as cryptomining, denial of service, and sensitive data theft.”

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 14 points 9 months ago (2 children)

misconfigured

Makes me skeptical this is a real "loophole"

The issue revolves around permissions, with GKE allowing users access to the system with any valid Google account. Orca Security said this creates a “significant security loophole when administrators decide to bind this group with overly permissive roles.”

Orca Security noted that Google considers this to be “intended behavior” because in the end, this is an assigned permission vulnerability that can be prevented by the user. Customers are responsible for the access controls they configure.

The researchers backed Google’s assessment that organizations should “take responsibility and not deploy their assets and permissions in a way that carries security risks and vulnerabilities.”

Yeah, PEBKAC

[–] [email protected] 8 points 9 months ago (1 children)

We have identified several clusters where users have granted Kubernetes privileges to the system:authenticated group

lol if that's the whole thing, blaming Google is laughable, unless they default to that somewhere or have faulty documentation. That's not a security flaw with their tools.

[–] [email protected] 2 points 9 months ago

Over the past five years infosec has turned into a shitshow of showboating. Every exploit has to have a logo and catchy name. Attacks are widely hyped up despite the conditions for usage being extremely difficult or outright stupid. If you are assigning blanket permissions to a group that shouldn’t have it that is your fault. Obstructing stupidity is not in the scope of the container engine.