New Kubernetes Vulnerabilities Allow Remote Attacks on Windows Endpoints
Three high-severity, interrelated security vulnerabilities discovered in Kubernetes could be exploited to achieve elevated remote code execution on Windows endpoints within a cluster.
THE problems, tracked as CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, have CVSS scores of 8.8 and impact all Kubernetes environments with Windows nodes. Fixes for the vulnerabilities have been released on August 23, 2023, following responsible disclosure by Akamai on July 13, 2023.
“The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster,” said Tomer Peled, security researcher at Akamai. said in a technical article shared with The Hacker News. “To exploit this vulnerability, the attacker must apply a malicious YAML file to the cluster.”
Amazon Web Services (AWS), Google CloudAnd Microsoft Azure have all posted advisories for bugs that affect the following versions of Kubelet –
- Kubelet
- Kubelet
- Kubelet
- kubelet
- Kubelet
In a word, CVE-2023-3676 allows an attacker with “apply” privileges — which allows interaction with the Kubernetes API — to inject arbitrary code that will be executed on remote Windows machines with SYSTEM privileges.
“CVE-2023-3676 requires low privileges and therefore sets a low bar for attackers: all they need is to access a node and apply privileges,” Peled noted.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Find out why identity is the new endpoint. Reserve your place now.
The vulnerability, along with CVE-2023-3955, results from a lack of input verification, allowing a specially crafted path string to be parsed as a parameter to a PowerShell command, effectively leading to execution of the order.
CVE-2023-3893, for its part, concerns a case of privilege escalation in the container storage interface (CSI) proxy that allows a malicious actor to gain administrative access to the node.
“A recurring theme among these vulnerabilities is a failure to sanitize input in the Windows-specific port of Kubelet,” explains Kubernetes security platform ARMO. Underlines last month.
“Specifically, when managing pod definitions, the software fails to adequately validate or sanitize user input. This oversight allows malicious users to create pods with environment variables and paths which, when processed, lead to undesirable behavior, such as privilege escalation.”
