CVE-2024-21376

FAQ

Is there any action I need to take to be protected from this vulnerability?

Customer must ensure they are running the latest version of az confcom and Kata Image.

Customers who do not have az confcom installed can install the latest version by executing az extension add -n confcom. Customers who are running versions prior to 0.3.3 need to update by executing az extension update -n confcom. For more information, reference:

• Confidential computing plugin for Confidential VMs.
• https://learn.microsoft.com/en-us/cli/azure/extension?view=azure-cli-latest#az-extension-update
• https://github.com/Azure/AgentBaker/blob/master/vhdbuilder/release-notes/AKSCBLMarinerV2/gen2kata/202402.26.0.txt

According to the CVSS metric, successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An attacker who successfully exploited this vulnerability could steal credentials and affect resources beyond the security scope managed by Azure Kubernetes Service Confidential Containers (AKSCC).

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

How could an attacker exploit this vulnerability?

An attacker can access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to.

According to the CVSS metric, privileges required is none (PR:N). Does the attacker need to be authenticated?

No. An unauthenticated attacker can move the same workload onto a machine they control, where the attacker is root.