KubeSlice Privilege Escalation Vulnerability

A vulnerability in KubeSlice version 1.3.1 allows attackers to access the service account's token due to insecure permissions, leading to unauthorized privilege escalation. This vulnerability could be exploited by stealing the token from a service account with elevated permissions, such as those granted by a cluster role allowing updates to node resources. Once obtained, the token could be used to authenticate with the Kubernetes API server and access all secrets in the cluster, potentially allowing an attacker to elevate privileges further or take over the entire cluster.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the Kubernetes API server as a service account, with all associated privileges, allowing access to cluster secrets and the potential to escalate privileges further or take over the cluster.

Reproduction

To reproduce this vulnerability, a malicious user can target a service account with elevated permissions, such as one associated with a DaemonSet that has a cluster role allowing updates to node resources. By taking control of a worker node, the user can manipulate pods running on that node to steal the service account token. Once the token is obtained, it can be used to authenticate with the Kubernetes API server and access all secrets in the cluster.