CVE-2024-21400

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

According to the CVSS metric, privileges required is none (PR:N). Does the attacker need to be authenticated?

No. An unauthenticated attacker can move the same workload onto a machine they control, where the attacker is root.

According to the CVSS metric, successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An attacker who successfully exploited this vulnerability could steal credentials and affect resources beyond the security scope managed by Azure Kubernetes Service Confidential Containers (AKSCC).

Is there any action I need to take to be protected from this vulnerability?

Customer must ensure they are running the latest version of az confcom and Kata Image.

Customers who do not have az confcom installed can install the latest version by executing az extension add -n confcom. Customers who are running versions prior to 0.3.3 need to update by executing az extension update -n confcom. For more information, reference:

• Confidential computing plugin for Confidential VMs.
• https://learn.microsoft.com/en-us/cli/azure/extension?view=azure-cli-latest#az-extension-update
• https://github.com/Azure/AgentBaker/blob/master/vhdbuilder/release-notes/AKSCBLMarinerV2/gen2kata/202402.26.0.txt

How could an attacker exploit this vulnerability?

An attacker can access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to.