A new vulnerability, CVE-2023-5528, has been discovered with Kubernetes.
This vulnerability is associated with a command injection vulnerability that leads to remote code execution with SYSTEM-level privileges on the compromised Windows node.
The severity for this vulnerability has been given as 7.2.
Several prerequisites are required for a threat actor to exploit this vulnerability, including applying malicious YAML files to the cluster, access to create a persistent volume that can be utilized during the command injection process, and some level of user privilege on the affected Kubernetes cluster.
Two additional vulnerabilities with the same underlying cause were identified subsequent to the identification of this one: an insecure function call and inadequate user input sanitization.
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.
According to the Akamai report shared with Cyber Security News, this vulnerability is linked with another previously disclosed vulnerability, CVE-2023-3676, related to another command injection vulnerability.
Both of these vulnerabilities were present on the Kubernetes cluster due to insecure function calls and a lack of user input sanitization.
Further analysis revealed that these command injections existed because of the lack of sanitization on the subPath parameter in YAML files, which uses the Kubelet service to execute commands with SYSTEM-level privileges.
Since it uses a Windows command prompt, the cmd terminal concatenation can be utilized to execute additional commands alongside the original parameter.
The exploitation involves the use of local volume type and persistent volume.
Local volumes are used to allow users to mount disk partitions inside a path, whereas persistent volumes are storage resources that a cluster admin can create to provide a storage space that will last even after the lifetime of the pod.
Once a persistentVolume is created, users can ask for storage space using a persistentVolumeClaim function.
It is worth denoting that Kubernetes uses YAML files for almost all of the functions inside the Kubernetes.
Path parameter inside a YAML file can be supplied with malicious commands executed during the mounting process.
This vulnerability can be exploited on default installations of Kubernetes, and was tested against both on-prem deployments and Azure Kubernetes Service.
Kubernetes has acted swiftly upon this vulnerability and has deleted the cmd line function.
This vulnerability affects the Kubernetes version earlier than 1.28.4.
It is recommended that organizations upgrade their Kubernetes to the latest version to prevent the exploitation of this vulnerability.
The below command can be executed to check if your Kubernetes has been affected.
This Cyber News was published on gbhackers.com. Publication date: Sat, 16 Mar 2024 07:13:06 +0000