Need some ammo against Microsoft Azure? Have a customer or prospect that uses Azure? This article is for you!

Risks:

Misconfiguration, Over Permissive Roles, Privilege Escalation, Git/Repo Breach, Cloud Service Provider Flaw

Keywords:

Azure, Apache Airflow, Kubernetes, RBAC, Geneva Service, Data Factory, Vulnerabilities

CVE:

N/A

Affected:

Microsoft Azure, Apache Airflow, Azure Kubernetes Service, Azure Key Vault, Amazon Bedrock, CloudTrail

 

Security Vulnerabilities in Azure Airflow Integration

Cybersecurity experts have discovered several security issues within Microsoft's Azure Data Factory integration with Apache Airflow. These vulnerabilities, if exploited, could allow attackers to perform covert operations like data theft and malware distribution.

Key Vulnerabilities

The main security weaknesses identified include:

• Kubernetes Role-Based Access Control (RBAC) Misconfiguration: This flaw allows excessive permissions within the Airflow cluster, potentially leading to unauthorized access.
• Improper Handling of Secrets in Azure's Geneva Service: Inadequate secret management could expose sensitive data, making it vulnerable to tampering.
• Weak Authentication for Geneva: Insufficient authentication mechanisms could permit unauthorized entities to manipulate service operations.

Potential Attack Scenarios

An attacker could exploit these vulnerabilities to gain persistent access as a shadow administrator across the Airflow Azure Kubernetes Service (AKS) cluster. By crafting a directed acyclic graph (DAG) file and uploading it to a connected GitHub repository or modifying an existing DAG file, the attacker could execute a reverse shell to an external server upon import.

To achieve this, the attacker would need write permissions to the storage account holding DAG files. This could be done by compromising a service principal or using a shared access signature (SAS) token, or by accessing a Git repository with leaked credentials.

Escalation Path

Although the initial shell operates with minimal permissions, further analysis revealed a service account with cluster-admin permissions linked to the Airflow runner pod. This misconfiguration means the attacker could download and use the Kubernetes command-line tool, kubectl, to take control of the cluster by deploying a privileged pod, eventually accessing the host virtual machine.

Implications for Azure Environment

With root access to the host VM, attackers could penetrate deeper into the cloud environment, accessing Azure-managed resources like Geneva, some of which allow write access to storage accounts and event hubs. This could enable attackers to create new pods, modify service accounts, and send false logs to Geneva without detection.

Importance of Service Permission Management

This incident underscores the critical need for stringent service permission management to prevent unauthorized access and highlights the importance of monitoring operations involving critical third-party services.

Related Security Concerns

In a related finding, Datadog Security Labs identified a privilege escalation issue in Azure Key Vault, where users with the Key Vault Contributor role could bypass access restrictions and manage Key Vault contents. Microsoft has since revised its documentation to address these risks.

Additionally, an issue in Amazon Bedrock CloudTrail logging was discovered, making it challenging to distinguish between malicious and legitimate queries, potentially allowing undetected reconnaissance activities.

 

Read More

https://thehackernews.com/2024/12/misconfigured-kubernetes-rbac-in-azure.html?m=1