Critical Kubernetes Flaws Expose Windows Endpoints to Remote Code Execution

by | Sep 14, 2023 | News

Critical Kubernetes Flaws Expose Windows Endpoints to Remote Code Execution

Post Views: 398

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

Three closely linked high-severity security vulnerabilities have been discovered in Kubernetes, posing a significant risk of remote code execution with elevated privileges on Windows endpoints within a cluster.

These vulnerabilities, identified as CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, carry a high CVSS score of 8.8 and affect all Kubernetes environments featuring Windows nodes. Fixes for these vulnerabilities were released on August 23, 2023, following responsible disclosure by Akamai, which reported them on July 13, 2023.

Akamai’s security researcher, Tomer Peled, described the implications, stating, “The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster. To exploit this vulnerability, the attacker needs to apply a malicious YAML file on the cluster.”

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

Major cloud providers, including Amazon Web Services (AWS), Google Cloud, and Microsoft Azure, have issued advisories for these vulnerabilities, which impact the following versions of Kubelet:

  • kubelet < v1.28.1
  • kubelet < v1.27.5
  • kubelet < v1.26.8
  • kubelet < v1.25.13
  • kubelet < v1.24.17

In essence, CVE-2023-3676 allows an attacker with ‘apply’ privileges, granting interaction with the Kubernetes API, to inject arbitrary code that executes on remote Windows machines with SYSTEM privileges.

“CVE-2023-3676 requires low privileges and, therefore, sets a low bar for attackers: All they need is access to a node and apply privileges,” highlighted Peled.

The vulnerability, along with CVE-2023-3955, stems from a lack of input sanitization, allowing a specially crafted path string to be parsed as a parameter to a PowerShell command, ultimately resulting in command execution.

Trending: Post-Exploitation Techniques: Maintaining Access, Escalating Privileges, Gathering Credentials, Covering Tracks

Trending: OSINT Tool: Photon

CVE-2023-3893, on the other hand, relates to privilege escalation in the Container Storage Interface (CSI) proxy, enabling a malicious actor to gain administrator access on the node.

These vulnerabilities share a common theme, involving lapses in input sanitization in the Windows-specific porting of the Kubelet in Kubernetes.

Specifically, when handling Pod definitions, the software fails to sufficiently validate or sanitize user inputs. This oversight empowers malicious users to create pods with environment variables and host paths that, when processed, lead to undesired behaviors, such as privilege escalation, as noted by Kubernetes security platform ARMO last month.

Trending: Emergency Apple Updates: Zero-Days Exploited to Deploy Spyware on iPhones

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This