services / Azure / Kubernetes userextras impersonation (AKS fleet member)
The Kubernetes impersonation capability for user-extra attributes on a member cluster of an AKS fleet. The impersonate verb on userextras lets a caller attach arbitrary extra authentication attributes (claims/scopes) when impersonating an identity.
Forged extra attributes feed authorization webhooks/policies, completing identity-spoofing chains to escalate privilege, hence CRITICAL.
Microsoft.ContainerService/fleets/members/authentication.k8s.io/userextras/impersonate/action
Impersonating userextras lets an attacker forge additional authentication attributes used in authorization decisions, augmenting an impersonated identity to escalate privilege and move laterally.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security