Privilege escalation vulnerability in Windows Kubernetes endpoints
Take action: Plan your Kubernetes Cluster patching, and check your cloud provider whether they are vulnerable. Not urgent, but important.
Learn More
Two critical vulnerabilities have been identified in Kubernetes that pose a significant security risk to unpatched Windows endpoints within a cluster. The vulnerabilities expose these Windows systems to the potential of remote code execution (RCE) with system-level privileges.
This discovery builds upon previous research into a vulnerability affecting Windows nodes, specifically CVE-2023-3676, which was reported in July. Further analysis revealed that once a cyber attacker successfully exploits the vulnerability in Windows nodes, they can pivot to take advantage of two additional command injection vulnerabilities, tracked as CVE-2023-3893 and CVE-2023-3955. All these subsequent flaws share a common root cause, as identified by the researchers, which is an "insecure function call and lack of user input sanitization."
To exploit these two Kubernetes vulnerabilities, cyber attackers simply need to inject a malicious YAML file into the Kubernetes cluster.
All Kubernetes versions below 1.28 are vulnerable to this CVE.
The report emphasizes that CVE-2023-3676 has relatively low privilege requirements, making it accessible to a broader range of attackers. As the report states, "CVE-2023-3676 requires low privileges and, therefore, sets a low bar for attackers: All they need to have is access to a node and apply privileges. Successful exploitation of this vulnerability will lead to remote code execution on any Windows node on the machine with system privileges."
To safeguard against the vulnerability described, patching is the most dependable method. If patching is not feasible, there are alternative measures to consider for protection:
- Disabling Volume.Subpath For CVE-2023-3676, Kubernetes administrators can disable the use of Volume.Subpath. While effective in preventing this vulnerability, it may disable a feature sometimes essential for production clusters.
- Open Policy Agent (OPA) OPA is an open-source agent designed to monitor traffic in and out of nodes and enact policy-based actions based on this data. It utilizes the Rego language to create rules that can block specific YAML files from being implemented. These rules provide an additional layer of security against potential threats, as illustrated in Figure 7.
