A series of high-severity vulnerabilities in Kubernetes have been identified, which could lead to remote code execution with elevated privileges on Windows endpoints within a Kubernetes cluster. Kubernetes is a free and open-source system used for automating deployment, scaling, and management of containerized applications. The project was originally designed by Google and is currently maintained by the Cloud Native Computing Foundation.
The primary vulnerability, designated as CVE-2023-3676, was discovered by Akamai security researcher, Tomer Peled. This flaw, along with two others, CVE-2023-3893 and CVE-2023-3955, have been addressed with fixes released on August 23, 2023.
Technical Insights
The vulnerabilities stem from insufficient input sanitization, particularly in the Windows-specific implementation of the Kubelet. Specifically, when handling Pod definitions, the software does not adequately validate or sanitize user inputs. This oversight allows malicious users to craft pods with environment variables and host paths that, when processed, can lead to unintended behaviors, including privilege escalation. An attacker with ‘apply' privileges, which allows interaction with the Kubernetes API, can exploit CVE-2023-3676 to inject arbitrary code that will be executed on remote Windows machines with SYSTEM privileges.
Official Advisory and Mitigation
A Kubernetes Security Advisory has confirmed the vulnerabilities and provided patches for affected versions of kubelet. All Kubernetes versions below 1.28 are vulnerable. The advisory recommends applying the provided patches as the most reliable mitigation method. In the absence of patching, Kubernetes admins can disable the use of Volume.Subpath to safeguard against this vulnerability. Additionally, Kubernetes audit logs can be utilized to detect potential exploitation attempts, with pod creation events containing embedded PowerShell commands being a strong indication of malicious activity.
The vulnerabilities, especially CVE-2023-3676, present a significant risk due to their high impact and ease of exploitation. However, their scope is limited to Windows nodes, which are not as prevalent in Kubernetes deployments. It is imperative for administrators to update their Kubernetes clusters to the latest versions or implement the recommended mitigations to prevent potential exploitation.
