Patch Now: Kubernetes RCE Flaw Allows Full Takeover of Windows Nodes

  /     /     /  
Publicated : 23/11/2024   Category : security

Patch Now: Kubernetes RCE Flaw Allows Full Takeover of Windows Nodes


Attackers can remotely execute code with system privileges by exploiting a vulnerability in the source code of the open source container management system.


A security bug in the widely used Kubernetes container-management system allows attackers to remotely execute code with System privileges on Windows endpoints, potentially leading to full takeover of all Windows nodes within a
Kubernetes cluster
.
Akamai security researcher Tomer Peled discovered the flaw, which is tracked as CVE-2023-5528 and has a CVSS score of 7.2. Exploitation lies in manipulating Kubernetes volumes, a feature aimed at supporting the sharing of data between pods on a cluster, or storing it persistently outside of a pods lifecycle, he explained
in a blog post
published March 13.
As an attack vector, attackers would need
to create pods and persistent volumes
on Windows nodes, which would allow them to escalate to admin privileges on those nodes, according to a GitHub listing for the flaw.
It is very easy to exploit this vulnerability because an attacker would only need to modify a parameter and apply 3 YAML files to gain RCE over the Windows endpoints, Peled tells Dark Reading.
The Kubernetes framework
uses YAML files for basically everything, he wrote in the post.
Kubernetes clusters
are only affected if they are using an in-tree storage plugin for Windows; however, there are many different volume types developers can use, creating different attack scenarios, Peled observed in the post.
Default installations of Kubernetes earlier than version 1.28.4 running both on-prem deployments and Azure Kubernetes Service are vulnerable. The Kubernetes team has been alerted of the flaw and there is a patch available for remediation, which is highly recommended.
Since the issue lies within the source code, this threat will remain active and exploitation of it will likely increase — this is why we strongly advise patching your cluster even if it doesnt have any Windows nodes, Peled wrote.
Peled discovered the flaw after an investigation of another vulnerability that shared the same root cause: insecure function call and lack of user input sanitization in Kubernetes. That flaw was
CVE-2023-3676
, a command injection vulnerability that could be exploited by applying a malicious YAML file onto the cluster. The discovery of this vulnerability led to the discovery of two others that also are caused by the lack of sanitization of the subPath parameter in YAML files, which creates pods with volumes and opens up an opportunity for a malicious code injection.
At the tail end of that research, we noticed a potential place in the code that looked like it could lead to another command injection vulnerability, which ultimately became CVE-2023-5528, Peled explained.
After several tries, we managed to achieve a similar outcome: executing commands as the kubelet service (SYSTEM privileges), he wrote.
The proof of concept that the researchers executed focused on local volumes, one of the volume types within Kubernetes. While creating a pod that includes a local volume, the kubelet service will eventually reach a function with a cmd line call to exec.command, creating a symlink between the location of the volume on the node and the location inside the pod.
Like many terminals, Windows Command Prompt (cmd) allows for the execution of two or more commands one right after the other, as well as multiple commands in the same command line. The fact that we can control one of the parameters in the cmd execution means that we can use command injection, Peled explained.
There are prerequisites to achieving this on local volumes, including the need to specify or create a persistentVolume, among others. However, once that volume is created, a user can ask for storage space using a persistentVolumeClaim, he wrote. This is where the injection can be placed.
The patch created for the flaw removes the opportunity for injection by deleting the cmd call, and replacing it with a native GO function that will perform the same operation to create the symlink. Now, the GO os library will only perform a symlink operation, as was intended initially, he explained.
Kubernetes
has emerged as one of the most widely used open source systems for containers; however, it also has become
a prime target
for threat actors due to its
vast potential
for exploitation and access to organizational data. Moreover, oftentimes Kubernetes configuration itself creates a vulnerable installation, providing a broad attack surface for threat actors.
Kubernetes is a very complex and robust tool, Peled says. On the one hand its robustness allows users to tailor their experience to their organizations needs, but on the other hand it makes it very hard to secure every aspect of it from both a developer or user standpoint.
Indeed, the discovery of CVE-2023-5528 and its related flaws highlights for enterprises deploying Kubernetes how crucial it is to verify Kubernetes configuration YAMLs, since input sanitization is lacking in several code areas in Kubernetes itself and its sidecar projects, Peled wrote.
Following best practices such as role-based access control (RBAC) and making sure clusters are up to date also should mitigate a large portion of known threats, he tells Dark Reading.
An enterprise environment running Kubernetes is vulnerable to exploit of the flaw only if a version of the system is earlier than 1.28.4 and the system is running Windows nodes. If this is the case, Akamai provided a command for administrators to run to determine if the system should be patched. If so, the patching should be prioritized.  
If your Kubernetes cluster doesnt have any Windows nodes, you dont have to rush to patch this specific vulnerability, Peled noted. But its important to patch it anyway when you have the time.
If immediate patching is not an option, Akamai also
is providing
an Open Policy Agent (OPA) rule to help detect and block this kind of behavior. OPA is an open source agent that allows users to receive data on traffic going in and out of nodes and take policy-based actions on the received data.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Patch Now: Kubernetes RCE Flaw Allows Full Takeover of Windows Nodes