Three interconnected security vulnerabilities of high severity have been uncovered in Kubernetes, posing a risk of remote code execution with elevated privileges on Windows endpoints within a cluster.
Identified as CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, these vulnerabilities have been assigned CVSS scores of 8.8 and affect all Kubernetes setups incorporating Windows nodes. Mitigations for these issues were deployed on August 23, 2023, subsequent to a responsible disclosure by Akamai on July 13, 2023.
According to Tomer Peled, a security researcher at Akamai, who shared insights with The Hacker News, “The exploit permits remote code execution with SYSTEM privileges across all Windows endpoints within a Kubernetes cluster, facilitated by deploying a malicious YAML file onto the cluster.”
Amazon Web Services (AWS), Google Cloud, and Microsoft Azure have all released advisories for the bugs, which affect the following versions of Kubelet –
- kubelet < v1.28.1
- kubelet < v1.27.5
- kubelet < v1.26.8
- kubelet < v1.25.13, and
- kubelet < v1.24.17
In essence, CVE-2023-3676 enables an attacker with ‘apply’ privileges, allowing interaction with the Kubernetes API, to introduce arbitrary code for execution on remote Windows machines with SYSTEM privileges.
Peled remarked, “CVE-2023-3676 requires minimal privileges, setting a low barrier for attackers; they simply need node access and apply privileges.”
The vulnerability, coupled with CVE-2023-3955, stems from inadequate input sanitization, permitting a specially crafted path string to be interpreted as a parameter for a PowerShell command, ultimately leading to command execution.
CVE-2023-3893, conversely, concerns privilege escalation within the Container Storage Interface (CSI) proxy, granting malicious actors administrator access on the node.
ARMO, a Kubernetes security platform, emphasized a common thread across these vulnerabilities: a lapse in input sanitization in the Windows-specific porting of the Kubelet. Particularly when handling Pod definitions, the software fails to sufficiently validate or sanitize user inputs. This oversight enables malevolent users to craft pods with environment variables and host paths that, upon processing, trigger undesired behaviors such as privilege escalation.