Google LLC’s Mandiant has published details of a critical privilege escalation vulnerability found in Microsoft Corp.’s Azure Kubernetes service that, though patched by Microsoft, could have allowed attackers to gain access to credentials for services used in Kubernetes clusters.
The privilege escalation vulnerability was found in Azure Kubernetes Services clusters using “Azure CNI” for the “Network configuration” and “Azure” for the “Network Policy.” An attacker with command execution in a pod running within an affected Azure Kubernetes Services cluster could download the configuration used to provision the cluster node, extract the transport layer security bootstrap tokens and perform a TLS bootstrap attack to read all secrets within the cluster.
The vulnerability is related to Azure WireServer, an undocumented component of Azure used internally by the platform for several reasons. Using previous research from CyberCX published in May 2023, Mandiant’s researchers found that the key used to encrypt protected settings values can be requested from the WireServer.
An attacker with command execution privileges of an affected AKS cluster could have then leveraged the flaw to download the configuration details for the node, including the TLS bootstrap tokens used during the initial setup of a Kubernetes node.
Given access to the WireServer and HostGAPlugin endpoint, an attacker could then retrieve and decrypt the settings provided to a number of extensions, including the “Custom Script Extension,” a service used to provide a virtual machine its initial configuration.
The issue was addressed by Microsoft prior to the details being published Monday, but the vulnerability does raise broader questions about security in both Kubernetes and Azure.
“The recent vulnerability discovered in Azure Kubernetes Services is a prime example of how complex modern cloud environments can create unexpected security risks,” Guy Rosenthal, vice president of product at security solutions provider DoControl Inc., told SiliconANGLE. “This isn’t just about a simple configuration error — it’s a sophisticated attack that exploits undocumented Azure components to gain elevated privileges within a Kubernetes cluster.”
Rosenthal explained that though Microsoft has patched this specific issue, it highlights a broader challenge in cloud security. “As we build more complex, interconnected systems, we’re also creating new attack surfaces that might not be immediately obvious,” he said. “It’s not enough to just secure the front door — we need to think about every possible entry point, even the ones we didn’t know existed.”
Callie Guenther, senior manager of cyber threat research at managed detection and response firm Critical Start Inc., said security teams must immediately audit their AKS configurations, especially if using ‘Azure CNI’ for network configuration and ‘Azure’ for network policy.
Security teams “should also rotate all Kubernetes secrets, enforce strict pod security policies and implement robust logging and monitoring to detect any suspicious activities,” Guenther added. “While this vulnerability is serious, requiring prompt action, it is a second-stage attack, meaning it needs prior access to a pod. Thus, it should be prioritized accordingly within the broader context of an organization’s threat landscape.”