In a technical report released today, Microsoft Threat Intelligence researchers Jonathan Bar Or, Emanuele Cozzi, and Michael Pearse highlighted the exploitation potential of these vulnerabilities through environment variable poisoning. This method could be leveraged by attackers to escalate privileges and execute code within the targeted program’s context or carry out other nefarious activities.

The vulnerabilities, collectively identified as CVE-2023-29491 with a CVSS score of 7.8, were remedied as of April 2023. Microsoft collaborated with Apple to address macOS-specific issues associated with these flaws.

Environment variables, customizable values utilized by various programs on a system, play a significant role in determining program behavior. Manipulating these variables can lead to unauthorized operations by applications.

Through code auditing and fuzzing, Microsoft uncovered that the ncurses library scans for multiple environment variables, including TERMINFO. Exploiting these variables, combined with the identified flaws, could facilitate privilege escalation. TERMINFO is crucial for enabling programs to utilize display terminals in a device-independent manner.

The vulnerabilities comprise a stack information leak, parameterized string type confusion, off-by-one error, heap out-of-bounds during terminfo database file parsing, and denial-of-service with canceled strings.

The researchers emphasized that while the discovered vulnerabilities could indeed enable attackers to elevate privileges and execute code within a program’s context, exploiting memory corruption vulnerabilities typically requires a multi-stage attack.

“The vulnerabilities might have necessitated being chained together for an attacker to escalate privileges, such as utilizing the stack information leak to gain arbitrary read primitives along with exploiting the heap overflow to acquire a write primitive,” they explained.

Identified as CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, these vulnerabilities have been assigned CVSS scores of 8.8 and affect all Kubernetes setups incorporating Windows nodes. Mitigations for these issues were deployed on August 23, 2023, subsequent to a responsible disclosure by Akamai on July 13, 2023.

According to Tomer Peled, a security researcher at Akamai, who shared insights with The Hacker News, “The exploit permits remote code execution with SYSTEM privileges across all Windows endpoints within a Kubernetes cluster, facilitated by deploying a malicious YAML file onto the cluster.”

Amazon Web Services (AWS), Google Cloud, and Microsoft Azure have all released advisories for the bugs, which affect the following versions of Kubelet –

• kubelet < v1.28.1
• kubelet < v1.27.5
• kubelet < v1.26.8
• kubelet < v1.25.13, and
• kubelet < v1.24.17

In essence, CVE-2023-3676 enables an attacker with ‘apply’ privileges, allowing interaction with the Kubernetes API, to introduce arbitrary code for execution on remote Windows machines with SYSTEM privileges.

Peled remarked, “CVE-2023-3676 requires minimal privileges, setting a low barrier for attackers; they simply need node access and apply privileges.”

The vulnerability, coupled with CVE-2023-3955, stems from inadequate input sanitization, permitting a specially crafted path string to be interpreted as a parameter for a PowerShell command, ultimately leading to command execution.

CVE-2023-3893, conversely, concerns privilege escalation within the Container Storage Interface (CSI) proxy, granting malicious actors administrator access on the node.

ARMO, a Kubernetes security platform, emphasized a common thread across these vulnerabilities: a lapse in input sanitization in the Windows-specific porting of the Kubelet. Particularly when handling Pod definitions, the software fails to sufficiently validate or sanitize user inputs. This oversight enables malevolent users to craft pods with environment variables and host paths that, upon processing, trigger undesired behaviors such as privilege escalation.

The buffer overflow in the WebP library could potentially allow attackers to take control of a target system, steal data, or install malware. Google has also confirmed that the security vulnerability is actively being exploited by attackers.

Security updates addressing the vulnerability have already been released for the four mentioned web browsers. Other Chromium-based web browsers are likely to receive a corresponding patch soon if it’s not already available.

Affects More Than Just Google Chrome Although the security vulnerability is often attributed solely to Google Chrome, Stackdiary emphasizes that this is not the case. The report lists several other applications that also use the vulnerable library to render WebP images and are potentially affected. This includes software such as Affinity, Gimp, Inkscape, Libreoffice, Telegram, Signal, Thunderbird, 1Password, and Ffmpeg.

In essence, the problem affects a wide range of apps developed for various platforms using frameworks like Electron or Flutter. Some of these apps have already received patches, while others have not. Even the Electron framework developed by GitHub now has a patch available.

Given the severity of this security vulnerability, users are advised to keep their web browsers and other applications up to date. It’s expected that many apps will receive updates in the coming days and weeks to address the WebP vulnerability.