A security bug in the widely used Kubernetes container-management system allows attackers to remotely execute code with System privileges on Windows endpoints, potentially leading to full takeover of all Windows nodes within a Kubernetes cluster.
Akamai security researcher Tomer Peled discovered the flaw, which is tracked as CVE-2023-5528 and has a CVSS score of 7.2.
Exploitation lies in manipulating Kubernetes volumes, a feature aimed at supporting the sharing of data between pods on a cluster, or storing it persistently outside of a pod's lifecycle, he explained in a blog post published March 13.
As an attack vector, attackers would need to create pods and persistent volumes on Windows nodes, which would allow them to escalate to admin privileges on those nodes, according to a GitHub listing for the flaw.
Default installations of Kubernetes earlier than version 1.28.4 running both on-prem deployments and Azure Kubernetes Service are vulnerable.
The Kubernetes team has been alerted of the flaw and there is a patch available for remediation, which is highly recommended.
Following the Flaws Peled discovered the flaw after an investigation of another vulnerability that shared the same root cause: insecure function call and lack of user input sanitization in Kubernetes.
That flaw was CVE-2023-3676, a command injection vulnerability that could be exploited by applying a malicious YAML file onto the cluster.
The discovery of this vulnerability led to the discovery of two others that also are caused by the lack of sanitization of the subPath parameter in YAML files, which creates pods with volumes and opens up an opportunity for a malicious code injection.
Exploitation and Patching The proof of concept that the researchers executed focused on local volumes, one of the volume types within Kubernetes.
Like many terminals, Windows' Command Prompt allows for the execution of two or more commands one right after the other, as well as multiple commands in the same command line.
There are prerequisites to achieving this on local volumes, including the need to specify or create a persistentVolume, among others.
The patch created for the flaw removes the opportunity for injection by deleting the cmd call, and replacing it with a native GO function that will perform the same operation to create the symlink.
Oftentimes Kubernetes configuration itself creates a vulnerable installation, providing a broad attack surface for threat actors.
An enterprise environment running Kubernetes is vulnerable to exploit of the flaw only if a version of the system is earlier than 1.28.4 and the system is running Windows nodes.
If this is the case, Akamai provided a command for administrators to run to determine if the system should be patched.
If immediate patching is not an option, Akamai also is providing an Open Policy Agent rule to help detect and block this kind of behavior.
OPA is an open source agent that allows users to receive data on traffic going in and out of nodes and take policy-based actions on the received data.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 13 Mar 2024 17:20:07 +0000