CVE-2024-21400
📋 TL;DR
This vulnerability allows an attacker with local access to a Microsoft Azure Kubernetes Service (AKS) confidential container to elevate privileges and potentially gain control over the underlying host node. It affects AKS clusters using confidential containers, which provide hardware-based isolation for sensitive workloads. Attackers could compromise container isolation and access other containers or host resources.
💻 Affected Systems
- Microsoft Azure Kubernetes Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the AKS cluster node, allowing lateral movement to other nodes, data exfiltration, and persistent backdoor installation across the Kubernetes environment.
Likely Case
Container escape leading to unauthorized access to other containers on the same node, credential theft, and potential access to sensitive data within the cluster.
If Mitigated
Limited impact with proper network segmentation, minimal permissions, and monitoring, though container isolation would still be breached.
🎯 Exploit Status
Exploitation requires initial access to a vulnerable confidential container; no public exploit code available as of advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: AKS platform updates automatically applied by Microsoft; check Azure portal for cluster version >= recommended patch
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21400
Restart Required: Yes
Instructions:
1. Log into Azure portal. 2. Navigate to your AKS cluster. 3. Check for available upgrades under 'Settings' > 'Cluster configuration'. 4. Apply the recommended platform update. 5. Nodes will restart automatically during update.
🔧 Temporary Workarounds
Disable confidential containers
allTemporarily disable confidential containers feature in AKS clusters if not required, reducing attack surface.
az aks update --resource-group <resource-group> --name <cluster-name> --disable-confidential-containers
🧯 If You Can't Patch
- Implement strict network policies to limit container-to-container and container-to-host communication within the cluster.
- Apply principle of least privilege to service accounts and pod security contexts; use Kubernetes Pod Security Standards (PSS) in restricted mode.
🔍 How to Verify
Check if Vulnerable:
Check if confidential containers are enabled in your AKS cluster via Azure portal or CLI: az aks show --resource-group <rg> --name <cluster> --query 'securityProfile.confidentialComputing'Check Version:
az aks show --resource-group <resource-group> --name <cluster-name> --query 'kubernetesVersion'Verify Fix Applied:
Verify cluster has been updated to latest AKS version in Azure portal under 'Properties' > 'Kubernetes version' and confirm no security alerts.📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation events in container runtime logs (e.g., Docker, containerd)
- Suspicious process creation from containers in host audit logs
- Kubernetes API server logs showing unauthorized pod or node access attempts
Network Indicators:
- Anomalous outbound connections from containers to cluster nodes or external IPs
- Unexpected network traffic between containers that should be isolated
SIEM Query:
ContainerRuntimeLogs | where ProcessName contains 'privilege' or CommandLine contains 'chroot' or 'nsenter' | where ContainerImage contains 'confidential'