services / Azure / Kubernetes userextras impersonation
The Kubernetes userextras-impersonation capability on an AKS-managed aiManagers cluster, which lets a caller set arbitrary extra authentication attributes on impersonated requests.
Extra authentication attributes feed authorization decisions (e.g. authorizing webhooks); spoofing them completes privileged impersonation.
Microsoft.ContainerService/aiManagers/authentication.k8s.io/userextras/impersonate/action
Impersonating userextras lets an attacker forge extra authentication attributes used in authorization, completing identity assumption and enabling privilege escalation and lateral movement.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security