According to the CVSS metric, Confidentiality is high (C:H) but integrity is none (I:N) and availability is none (A:N). What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could gain access to sensitive information such as Azure IoT Operations secrets and potentially other credentials or access tokens stored within the Kubernetes cluster. What actions do customers need to take to protect themselves from this vulnerability? In addition to updating any affected Extensions which are used in their environment, to be protected customers must also update their Azure Arc Agent to version >= 1.14.6 using the steps described here: https://learn.microsoft.com/en-us/cli/azure/connectedk8s?view=azure-cli-latest#az-connectedk8s-upgrade. According to the CVSS score, the attack vector is adjacent (AV:A). What does this mean for this vulnerability? An attacker must have access to the network connected to the targeted Arc-enabled Kubernetes Cluster but does not require permissions to connect or manage the Kubernetes cluster to exploit the vulnerability. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? The vulnerability enables an attacker to compromise a Cluster Extension's identity token and access other components or Azure resources associated with the Arc-enabled Kubernetes cluster. What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could leverage the Azure Arc Cluster Extension's identity token by bypassing the Kubernetes namespace's RBAC and access other Azure resources on behalf of the Extension.
Vladimir Abramzon with Microsoft Offensive Research Security Engineering