CVE-2024-9779 is a privilege escalation vulnerability discovered in Open Cluster Management (OCM) version 0.12.0. The issue arises from the cluster-manager deployment using a service account named "cluster-manager" that is bound to a ClusterRole with permissions to create Pod resources. This role is overly permissive, allowing pods to be created within the cluster. If an attacker can run a pod on a worker node that hosts cluster-manager or klusterlet deployments, they can access the cluster-manager's service account token. With this token, the attacker can create pods that mount any service account token in the cluster, effectively stealing those tokens and gaining the ability to impersonate any service account. This leads to full control over the cluster, compromising confidentiality and integrity of cluster resources. The vulnerability does not require user interaction or authentication but does require the attacker to have access to a worker node, which is a significant but not uncommon prerequisite in some threat models. The CVSS v3.1 score is 7.5 (high), reflecting the network attack vector, high impact on integrity, and the cluster-wide scope of the compromise. No public exploits are known yet, but the potential impact is severe. The flaw highlights the risks of excessive privilege assignment and the importance of strict node access controls in Kubernetes environments managed by OCM.

The impact of CVE-2024-9779 is substantial for organizations running Open Cluster Management 0.12.0. An attacker with access to a worker node can escalate privileges to gain full control over the Kubernetes cluster by stealing service account tokens. This compromises the confidentiality of sensitive data and credentials stored in the cluster, undermines the integrity of workloads by allowing unauthorized pod creation and manipulation, and could lead to further lateral movement or persistent backdoors. Although availability impact is not directly indicated, the attacker’s ability to control the cluster could enable denial-of-service attacks or disruption of critical services. Organizations relying on OCM for multi-cluster management or governance are at risk of widespread compromise if this vulnerability is exploited. The requirement for node access means that internal threats or attackers who have breached perimeter defenses pose the greatest risk. The vulnerability could facilitate advanced persistent threats (APTs) targeting cloud-native infrastructure, making it a critical concern for enterprises with Kubernetes deployments.

To mitigate CVE-2024-9779, organizations should immediately restrict access to worker nodes hosting cluster-manager or klusterlet pods, ensuring only trusted administrators have node-level permissions. Implement strict network segmentation and node isolation to limit the ability of attackers to run pods on these nodes. Review and tighten RBAC policies associated with the cluster-manager service account to follow the principle of least privilege, removing unnecessary permissions such as pod creation if feasible. Monitor audit logs for suspicious pod creation activities and service account token usage. Employ runtime security tools to detect anomalous behavior on nodes and within pods. Upgrade OCM to a patched version once available from the vendor or apply any recommended security patches promptly. Consider using Kubernetes Pod Security Policies or equivalent admission controllers to restrict pod capabilities and volume mounts. Finally, conduct regular security assessments of cluster configurations and node access controls to prevent unauthorized access.