A trio of intrinsically linked, high-priority security vulnerabilities recently uncovered in Kubernetes have raised red flags in the sphere of cyberspace safety. If exploited, these could enable threat actors to remotely administer malicious code with escalated privileges on Windows-powered endpoints within a cluster.
All the CVEs
The vulnerabilities go by the designations CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955. Coming with a starkly high CVSS rating of 8.8, these vulnerabilities have ramifications across all Kubernetes environments which involve Windows nodes. Before long, the loopholes had been plugged with fixes deployed on August 23, 2023, after Akamai responsibly brought them to light on July 13 the same year.
Akamai security researcher, Tomer Peled, elaborates: “The vulnerability in question paves the way for remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster.” According to Peled, an attacker would need to enforce a corrupted YAML file on the cluster to exploit this vulnerability.
Tech titans Amazon Web Services (AWS), Google Cloud, and Microsoft Azure have all issued warning messages in light of these bugs. The issues affect certain versions of Kubelet – a core component of the Kubernetes system.
SYSTEM Still a Bad Idea
The Blue Screen of Death is a Funny Joke to Make Here According to AI, So We Did. Please Laugh.
Digging into the specifics, CVE-2023-3676 provides a pathway for an attacker boasting ‘apply’ privileges to inject arbitrary code. These privileges enable interaction with the Kubernetes API. The rogue code then gets executed on remote Windows machines with SYSTEM privileges. As Peled points out, the attack methodology requires only minimal privileges, subsequently lowering the barrier to entry for potential assailants.
Two vulnerabilities stem from a lack of user input sanitization. Thus, an especially contrived path string can be interpreted as a PowerShell command parameter, setting the stage for possible command execution.
The third bug, CVE-2023-3893, ties in with a privilege elevation scenario in the Container Storage Interface (CSI) proxy, which potentially allows a ne’er-do-well to secure administrator access on a node.
Have We Learned Nothing From OWASP?
However, a common thread running between these security flaws is a lapse in input sanitization. Kubernetes Security platform ARMO shed light on this last month stating, “Within the Windows-specific porting of the Kubelet, the software doesn’t effectively validate or clean up user inputs when dealing with Pod definitions.” This seemingly minor oversight leaves the door ajar for nefarious users to design pods equipped with environment variables and host paths capable of resulting in privilege escalation when processed.
