CVE-2024-9779 is a vulnerability identified in Open Cluster Management (OCM) version 0.12.0, specifically involving the cluster-manager deployment's service account permissions. The cluster-manager service account is bound to a ClusterRole named "cluster-manager" that includes the ability to create Pod resources. This design flaw creates a trust boundary violation: if an attacker gains access to a worker node that hosts the cluster-manager or klusterlet deployments, they can exploit this to escalate privileges. The attacker can cause a pod to run on the compromised node, extract the cluster-manager's service account token, and then use it to create and mount any other service account token within the cluster. This effectively allows the attacker to impersonate any service account, leading to full cluster control. The vulnerability does not require prior authentication or user interaction but does require network-level access to the worker nodes. The CVSS v3.1 score is 7.5 (high), reflecting the significant impact on integrity and confidentiality, though availability is not affected. The vulnerability stems from improper isolation and overly permissive RBAC (Role-Based Access Control) configurations in OCM's cluster-manager deployment. No patches or exploits in the wild have been reported as of the publication date, but the risk remains substantial given the potential for cluster-wide compromise.

For European organizations, the impact of CVE-2024-9779 is substantial, especially those relying on Kubernetes clusters managed by Open Cluster Management 0.12.0. An attacker exploiting this vulnerability can gain unauthorized access to sensitive workloads, steal credentials, and manipulate cluster resources, leading to data breaches, service disruptions, or deployment of malicious containers. This could affect cloud service providers, financial institutions, critical infrastructure operators, and enterprises with containerized environments. The compromise of cluster-manager tokens undermines the integrity and confidentiality of the entire Kubernetes environment, potentially enabling lateral movement and persistent access. Given the widespread adoption of Kubernetes and OCM in Europe, particularly in countries with advanced cloud infrastructure, the threat could lead to significant operational and reputational damage. Additionally, regulatory compliance risks arise from unauthorized access to personal or sensitive data processed within these clusters.

To mitigate CVE-2024-9779, European organizations should: 1) Upgrade OCM to a version where this vulnerability is patched once available; 2) Restrict network access to worker nodes hosting cluster-manager or klusterlet deployments, limiting exposure to trusted administrators only; 3) Review and tighten RBAC permissions for the cluster-manager service account to follow the principle of least privilege, removing unnecessary Pod creation rights; 4) Implement node-level security controls such as node isolation, runtime security monitoring, and integrity verification to detect unauthorized pod creation; 5) Use Kubernetes Pod Security Policies or equivalent admission controllers to prevent untrusted pods from running on critical nodes; 6) Monitor Kubernetes audit logs for suspicious service account token usage or pod creation activities; 7) Employ network segmentation and zero-trust principles to reduce the attack surface; 8) Regularly rotate service account tokens and credentials to limit token reuse; 9) Conduct penetration testing and red team exercises focused on node-level access scenarios to validate defenses.