Three interrelated high-severity information flaws discovered successful Kubernetes could beryllium exploited to execute distant codification execution with elevated privileges connected Windows endpoints wrong a cluster.
The issues, tracked arsenic CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, transportation CVSS scores of 8.8 and interaction each Kubernetes environments with Windows nodes. Fixes for the vulnerabilities were released connected August 23, 2023, pursuing liable disclosure by Akamai connected July 13, 2023.
"The vulnerability allows distant codification execution with SYSTEM privileges connected each Windows endpoints wrong a Kubernetes cluster," Akamai information researcher Tomer Peled said successful a method write-up shared with The Hacker News. "To exploit this vulnerability, the attacker needs to use a malicious YAML record connected the cluster."
- kubelet < v1.28.1
- kubelet < v1.27.5
- kubelet < v1.26.8
- kubelet < v1.25.13, and
- kubelet < v1.24.17
In a nutshell, CVE-2023-3676 allows an attacker with 'apply' privileges -- which makes it imaginable to interact with the Kubernetes API -- to inject arbitrary codification that volition beryllium executed connected distant Windows machines with SYSTEM privileges.
"CVE-2023-3676 requires debased privileges and, therefore, sets a debased barroom for attackers: All they request to person is entree to a node and use privileges," Peled noted.UPCOMING WEBINAR
Identity is the New Endpoint: Mastering SaaS Security successful the Modern Age
Dive heavy into the aboriginal of SaaS information with Maor Bin, CEO of Adaptive Shield. Discover wherefore individuality is the caller endpoint. Secure your spot now.Supercharge Your Skills
The vulnerability, on with CVE-2023-3955, arises arsenic a effect of a deficiency of input sanitization, thereby enabling a specially crafted way drawstring to beryllium parsed arsenic a parameter to a PowerShell command, efficaciously starring to bid execution.
CVE-2023-3893, connected the different hand, relates to a lawsuit of privilege escalation successful the Container Storage Interface (CSI) proxy that allows a malicious histrion to get head entree connected the node.
"A recurring taxable among these vulnerabilities is simply a lapse successful input sanitization successful the Windows-specific porting of the Kubelet," Kubernetes Security level ARMO highlighted past month.
"Specifically, erstwhile handling Pod definitions, the bundle fails to adequately validate oregon sanitize idiosyncratic inputs. This oversight enables malicious users to trade pods with situation variables and big paths that, erstwhile processed, pb to undesired behaviors, specified arsenic privilege escalation."