CVE-2024-29990
📋 TL;DR
This vulnerability allows an attacker with access to an Azure Kubernetes Service (AKS) confidential container to escalate privileges and potentially gain control over the underlying host node. It affects AKS clusters using confidential containers, primarily impacting organizations running sensitive workloads in Azure's confidential computing environments.
💻 Affected Systems
- Microsoft Azure Kubernetes Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the AKS node, allowing access to other containers on the same node, potential data exfiltration from confidential workloads, and lateral movement within the Kubernetes cluster.
Likely Case
Privilege escalation within the container leading to unauthorized access to sensitive data or resources within the confidential computing environment.
If Mitigated
Limited impact due to network segmentation, minimal permissions, and proper isolation between containers and nodes.
🎯 Exploit Status
Requires initial access to a container within the AKS cluster. Exploitation involves specific conditions within the confidential container environment.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security update applied automatically by Microsoft
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29990
Restart Required: Yes
Instructions:
1. Microsoft automatically applies security updates to AKS clusters. 2. Ensure your AKS cluster is running the latest platform version. 3. Restart affected nodes after the update is applied.
🔧 Temporary Workarounds
Disable confidential containers
linuxTemporarily disable confidential computing nodes if not required for your workload
az aks nodepool update --resource-group <RG> --cluster-name <AKS> --name <nodepool> --disable-confidential-computing
🧯 If You Can't Patch
- Implement strict network policies to limit container-to-container communication
- Apply least privilege principles to container service accounts and limit host access
🔍 How to Verify
Check if Vulnerable:
Check if your AKS cluster uses confidential containers and has not received the latest security updateCheck Version:
az aks show --resource-group <RG> --name <AKS> --query kubernetesVersionVerify Fix Applied:
Verify your AKS cluster platform version is updated and nodes have been restarted📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation attempts within containers
- Suspicious container-to-host interactions in audit logs
Network Indicators:
- Unexpected network connections from containers to node metadata services
SIEM Query:
ContainerLogs | where ContainerName contains "confidential" | where Message contains "privilege" or Message contains "escalation"