A Kubernetes security vulnerability could have enabled full takeovers of Microsoft Windows nodes
Standard installations of Kubernetes were vulnerable to a very serious flaw that allowed threat actors to remotely execute code with elevated privileges.
Akamai researchers discovers the flaw, which has since been fixed, exposed what is now known as “insufficient input sanitization in the tree storage plugin,” a flaw tracked as CVE-2023-5588.
It has a severity score of 7.2 and affects all versions of kubelet, including 1.8.0 and newer.
Multiple vulnerabilities
“The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster,” Akamai explains. “To exploit this vulnerability, the attacker would need to apply malicious YAML files to the cluster.
A user, with the ability to create pods and persistent volumes on Windows nodes, could elevate their privileges to administrator status on those nodes, Kubernetes explains GitHub. As a result, they may be able to completely take over all Windows nodes in a cluster.
The vulnerability was fixed in mid-November last year, so make sure you bring your kubelet to one of these versions:
v1.28.4 v1.27.8 v1.26.11 v1.25.16
In September 2023, Akamai researchers discovered a similar flaw: a command injection vulnerability that could be exploited with a malicious YAML file in the cluster. That flaw, now tracked as CVE-2023-3676, and with a severity score of 8.8, was the one that paved the way for today’s findings, the researchers explained.
“The lack of sanitization of the subPath parameter in YAML files that creates pods of volumes opens the possibility for a malicious injection,” they say. “This was the original finding, but at the end of that investigation we noticed a potential spot in the code that looked like it could lead to a new command injection vulnerability. After several attempts, we managed to achieve a similar result.”
For enterprises, verifying Kubernetes configuration YAMLs is “critical” because input sanitization is “missing from several code areas in Kubernetes itself.”
Through The hacker news