Default Kubernetes installations were vulnerable to a high severity flaw, which allowed threat actors to remotely execute code with elevated privileges.
Akamai researchers discovered the flaw, which has since been patched, discovering what is now known as “insufficient input sanitization in the tree storage plugin,” a flaw tracked as CVE-2023-5588.
It has a severity score of 7.2 and affects all kubelet versions, including 1.8.0 and later.
Multiple vulnerabilities
“The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster,” Akamai explained. “To exploit this vulnerability, the attacker needs to apply malicious YAML files to the cluster.
A user, with the ability to create pods and persistent volumes on Windows nodes, could elevate their privileges to administrator status on those nodes, Kubernetes explained on GitHub. As a result, they may be able to completely take over all Windows nodes in a cluster.
The vulnerability was patched in mid-November last year, so be sure to bring your kubelet to one of these versions:
v1.28.4 v1.27.8 v1.26.11 v1.25.16
In September 2023, Akamai researchers found a similar flaw: a command injection vulnerability that could be exploited with a malicious YAML file in the cluster. That flaw, now tracked as CVE-2023-3676 and with a severity score of 8.8, was what paved the way for today's findings, the researchers explained.
“Failure to sanitize the subPath parameter in YAML files that create pods with volumes opens an opportunity for malicious injection,” they said. “This was the original finding, but at the end of that investigation, we noticed a potential place in the code that looked like it could lead to another command injection vulnerability. After several attempts, we managed to achieve a similar result.”
For enterprises, verifying Kubernetes configuration YAMLs is “crucial” as there is “missing sanitization of entries in several code areas of Kubernetes itself.”
Through Hacker News
