Fixing CVE-2024-29990 in Azure Kubernetes Service

Microsoft’s recent security patch release includes fixes for numerous vulnerabilities, with one critical flaw, CVE-2024-29990, standing out. This blog post delves into the details of this vulnerability, its potential impact, and how organizations can protect themselves.

What is CVE-2024-29990?

The recent CSRB report sheds light on broader cyber security concerns within Microsoft, highlighting operational lapses, inadequate security culture, and vulnerabilities across its ecosystem.

While not directly tied to CVE-2024-29990, these insights underscore the critical need for comprehensive security reforms and proactive measures to address vulnerabilities and safeguard sensitive data.

CVE-2024-29990 is an elevation of privilege flaw affecting Microsoft Azure Kubernetes Service Confidential Container (AKSCC). With a CVSS severity score of 9.0, this vulnerability allows unauthenticated attackers to compromise AKS clusters, potentially leading to credential theft and unauthorized access. 

Background research indicates that the exploitation of CVE-2024-29990 could result in attackers gaining control over confidential guests and containers, extending beyond the network stack’s intended security boundaries. 

Does CVE-2024-29990 affect me?

Organizations utilizing Azure Kubernetes Service Confidential Container, particularly those running affected versions specified by Microsoft, are vulnerable to CVE-2024-29990. Readers can verify their system’s susceptibility by referencing Microsoft’s advisory and examining their AKS configurations. 

The potential impact of CVE-2024-29990 on individuals and organizations includes unauthorized access, data breaches, and compromise of critical infrastructure hosted on AKS clusters. 

Has CVE-2024-29990 been actively exploited in the wild?

While there are no reported instances of CVE-2024-29990 exploitation in the wild, its severity warrants proactive mitigation measures. Microsoft reports a PoC having been found. 

Security analysts emphasize the importance of staying informed about emerging threats and monitoring for any signs of exploitation.

Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability. An attacker who successfully exploited this vulnerability could steal credentials and affect resources beyond the security scope managed by Azure Kubernetes Service Confidential Containers (AKSCC). 

Additionally, a threat actor can access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to. An unauthenticated attacker can move the same workload onto a machine they control, where the attacker is root. 

How to fix CVE-2024-29990

Microsoft has recommended applying the latest security patches and updates to Azure Kubernetes Service to mitigate CVE-2024-29990. Additionally, organizations are advised to conduct thorough security audits, prioritize risk management, and implement best practices for securing AKS clusters. 

Users must ensure they are running the latest version of az confcom and Kata Image. 

Users who do not have az confcom installed can install the latest version by executing az extension add -n confcom. Users running versions prior to 0.3.3 need to update by executing az extension update -n confcom. Az extension update 

See also: Confidential computing plugin for Confidential VMs | Azure AgentBaker github release motes  

Next steps

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

1. 2023 Vulnerability watch reports 
2. The MITRE ATT&CK framework: Getting started
3. The true impact of exploitable vulnerabilities for 2024
4. Multi-cloud security challenges – a best practice guide
5. How to properly tackle zero-day threats