Researchers Detail Kubernetes Vulnerability That Enables Windows Node Takeover
14.3.24 Vulnerebility The Hacker News
Details have been made public about a now-patched high-severity flaw in Kubernetes that could allow a malicious attacker to achieve remote code execution with elevated privileges under specific circumstances.
"The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster," Akamai security researcher Tomer Peled said. "To exploit this vulnerability, the attacker needs to apply malicious YAML files on the cluster."
Tracked as CVE-2023-5528 (CVSS score: 7.2), the shortcoming impacts all versions of kubelet, including and after version 1.8.0. It was addressed as part of updates released on November 14, 2023, in the following versions -
kubelet v1.28.4
kubelet v1.27.8
kubelet v1.26.11, and
kubelet v1.25.16
"A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes," Kubernetes maintainers said in an advisory released at the time. "Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes."
Successful exploitation of the flaw could result in a complete takeover of all Windows nodes in a cluster. It's worth noting that another set of similar flaws was previously disclosed by the web infrastructure company in September 2023.
The issue stems from the use of "insecure function call and lack of user input sanitization," and relates to feature called Kubernetes volumes, specially leveraging a volume type known as local volumes that allow users to mount disk partition in a pod by specifying or creating a PersistentVolume.
"While creating a pod that includes a local volume, the kubelet service will (eventually) reach the function 'MountSensitive(),'" Peled explained. "Inside it, there's a cmd line call to 'exec.command,' which makes a symlink between the location of the volume on the node and the location inside the pod."
This provides a loophole that an attacker can exploit by creating a PersistentVolume with a specially crafted path parameter in the YAML file, which triggers command injection and execution by using the "&&" command separator.
"In an effort to remove the opportunity for injection, the Kubernetes team chose to delete the cmd call, and replace it with a native GO function that will perform the same operation 'os.Symlink()," Peled said of the patch put in place.
The disclosure comes as a critical security flaw discovered in the end-of-life (EoL) Zhejiang Uniview ISC camera model 2500-S (CVE-2024-0778, CVSS score: 9.8) is being exploited by threat actors to drop a Mirai botnet variant called NetKiller that shares infrastructure overlaps with a different botnet named Condi.
"The Condi botnet source code was released publicly on Github between August 17 and October 12, 2023," Akamai said. "Considering the Condi source code has been available for months now, it is likely that other threat actors [...] are using it."