"Exploiting these flaws could allow attackers to gain persistent access as shadow administrators over the entire Airflow Azure Kubernetes Service (AKS) cluster," according to Palo Alto Networks Unit 42, highlighting the severity of these vulnerabilities. They underscore the potential for malicious actors to conduct covert operations undetected, despite Microsoft labeling the issues as low severity.
"Besides obtaining unauthorized access, the attacker could take advantage of the flaws in the Geneva service to potentially tamper with log data or send fake logs to avoid raising suspicion when creating new pods or accounts," illustrating the significant threat posed by the identified vulnerabilities.
The initial access technique involves crafting a directed acyclic graph (DAG) file and uploading it to a private GitHub repository connected to the Airflow cluster, or altering an existing DAG file. The goal is to launch a reverse shell to an external server as soon as it's imported.
Although the shell obtained in this manner was found to be running under the context of the Airflow user in a Kubernetes pod with minimal permissions, further analysis identified a service account with cluster-admin permissions connected to the Airflow runner pod, indicating substantial misconfigurations.
Collection
[
|
...
]