Three interrelated high-severity security flaws discovered in Kubernetes could be exploited to achieve remote code execution with elevated privileges on Windows endpoints within a cluster.
The issues, tracked as CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, carry CVSS scores of 8.8 and impact all Kubernetes environments with Windows nodes. Fixes for the vulnerabilities were released on August 23, 2023, following responsible disclosure by Akamai on July 13, 2023.
"The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster," Akamai security researcher Tomer Peled said in a technical write-up shared with The Hacker News. "To exploit this vulnerability, the attacker needs to apply a malicious YAML file on the cluster."
- kubelet < v1.28.1
- kubelet < v1.27.5
- kubelet < v1.26.8
- kubelet < v1.25.13, and
- kubelet < v1.24.17
In a nutshell, CVE-2023-3676 allows an attacker with 'apply' privileges -- which makes it possible to interact with the Kubernetes API -- to inject arbitrary code that will be executed on remote Windows machines with SYSTEM privileges.
"CVE-2023-3676 requires low privileges and, therefore, sets a low bar for attackers: All they need to have is access to a node and apply privileges," Peled noted.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.
The vulnerability, along with CVE-2023-3955, arises as a result of a lack of input sanitization, thereby enabling a specially crafted path string to be parsed as a parameter to a PowerShell command, effectively leading to command execution.
CVE-2023-3893, on the other hand, relates to a case of privilege escalation in the Container Storage Interface (CSI) proxy that allows a malicious actor to obtain administrator access on the node.
"A recurring theme among these vulnerabilities is a lapse in input sanitization in the Windows-specific porting of the Kubelet," Kubernetes Security platform ARMO highlighted last month.
"Specifically, when handling Pod definitions, the software fails to adequately validate or sanitize user inputs. This oversight enables malicious users to craft pods with environment variables and host paths that, when processed, lead to undesired behaviors, such as privilege escalation."