Three interrelated high-severity safety flaws found in Kubernetes may very well be exploited to attain distant code execution with elevated privileges on Windows endpoints inside a cluster.
The points, tracked as CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, carry CVSS scores of 8.8 and affect all Kubernetes environments with Windows nodes. Fixes for the vulnerabilities had been launched on August 23, 2023, following accountable disclosure by Akamai on July 13, 2023.
“The vulnerability permits distant code execution with SYSTEM privileges on all Windows endpoints inside a Kubernetes cluster,” Akamai safety researcher Tomer Peled stated in a technical write-up shared with The Hacker News. “To exploit this vulnerability, the attacker wants to use a malicious YAML file on the cluster.”
Amazon Web Services (AWS), Google Cloud, and Microsoft Azure have all launched advisories for the bugs, which have an effect on the next variations of Kubelet –
- kubelet < v1.28.1
- kubelet < v1.27.5
- kubelet < v1.26.8
- kubelet < v1.25.13, and
- kubelet < v1.24.17
In a nutshell, CVE-2023-3676 permits an attacker with ‘apply’ privileges — which makes it doable to work together with the Kubernetes API — to inject arbitrary code that shall be executed on distant Windows machines with SYSTEM privileges.
“CVE-2023-3676 requires low privileges and, due to this fact, units a low bar for attackers: All they should have is entry to a node and apply privileges,” Peled famous.
Identity is the New Endpoint: Mastering SaaS Security within the Modern Age
Dive deep into the way forward for SaaS safety with Maor Bin, CEO of Adaptive Shield. Discover why identification is the brand new endpoint. Secure your spot now.
The vulnerability, together with CVE-2023-3955, arises on account of an absence of enter sanitization, thereby enabling a specifically crafted path string to be parsed as a parameter to a PowerShell command, successfully resulting in command execution.
CVE-2023-3893, alternatively, pertains to a case of privilege escalation within the Container Storage Interface (CSI) proxy that enables a malicious actor to acquire administrator entry on the node.
“A recurring theme amongst these vulnerabilities is a lapse in enter sanitization within the Windows-specific porting of the Kubelet,” Kubernetes Security platform ARMO highlighted final month.
“Specifically, when dealing with Pod definitions, the software program fails to adequately validate or sanitize person inputs. This oversight permits malicious customers to craft pods with surroundings variables and host paths that, when processed, result in undesired behaviors, equivalent to privilege escalation.”