services / Azure / Kubernetes group impersonation (AKS)
The Kubernetes group-impersonation capability on an AKS managed cluster, allowing the API caller to assert membership in arbitrary groups when issuing requests.
Asserting membership in privileged groups (e.g. system:masters) inherits all RBAC bound to those groups — equivalent to broad cluster takeover.
Microsoft.ContainerService/managedClusters/groups/impersonate/action
Impersonating groups lets the attacker assume membership in any group (e.g. system:masters), inheriting the aggregated RBAC privileges of that group for lateral movement and privilege escalation.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security