Focus on source code security and collect the latest information at home and abroad!
Compiled by: Code Guard
Three interrelated, high-severity vulnerabilities exist in Kubernetes that can be used to achieve remote code execution with elevated privileges on the Windows endpoints of the cluster.
The vulnerabilities are CVE-2023-3676, CVE-2023-3893 and CVE-2023-3955, with a CVSS score of 8.8, affecting all K8s environments with Windows nodes. After being submitted by Akamai on July 13, 2023, the repair plan was released on August 23, 2023.
Akamai researcher Tomer Peled published an article saying, "This vulnerability can lead to a person with system privileges to execute remote code on all Windows endpoints of the K8s cluster. To exploit this vulnerability, an attacker needs to apply a malicious YAML file on the cluster."
AWS, Google Cloud, and Microsoft Azure have issued security advisories for these vulnerabilities, which affect the following Kubelet versions:
kubelet < v1.28.1
kubelet < v1.27.5
kubelet < v1.26.8
kubelet < v1.25.13 and
kubelet < v1.24.17
In short, CVE-2023-3676 allows an attacker with "App" permissions to inject arbitrary code that can be executed with system privileges on a remote Windows machine. Peled mentioned, “CVE-2023-3676 requires low permissions, so the threshold for attack is not high. All the attacker needs is to access a node and apply permissions.”
The root cause of this vulnerability and CVE-2023-3955 is a lack of input sanitization, which can cause specially constructed path strings to be parsed into PowerShell command parameters, leading to command execution.
CVE-2023-3893 is related to an escalation of privilege in the Container Storage Interface (CSI) agent, which could allow a malicious actor to gain administrator privileges on a node. K8s security platform ARMO said last month that "a recurring theme in these vulnerabilities is the lack of input sanitizer for Windows-specific Kubelet ports. Specifically, the software fails to properly validate or sanitize user input when processing Pod definitions, allowing malicious People construct pods and host paths through environment variables, and handling paths can lead to unexpected behavior such as privilege escalation."
Code Guard trial address: https://codesafe.qianxin.com
Open source guard trial address: https://oss.qianxin.com
Recommended reading
Online reading version: Full text of "2023 China Software Supply Chain Security Analysis Report"
OpenSSF releases NPM supply chain best practices guide
Original link
https://thehackernews.com/2023/09/alert-new-kubernetes-vulnerabilities.html
Title image: Pixabay License
This article was compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate "Reprinted from Qianxin Code Guard https://codesafe.qianxin.com" when reprinting.
Qi'anxin Code Safe (codesafe)
The first domestic product line focusing on software development security.
If you think it’s good, just click “Looking” or “Like”~