Default installations of Kubernetes were vulnerable to a high-severity flaw, which allowed threat actors to remotely execute code with elevated privileges.
Researchers from Akamai discovered the flaw, which has since been patched, uncovering what’s now known as “insufficient input sanitization in in-tree storage plugin”, a flaw that’s tracked as CVE-2023-5588.
It carries a severity score of 7.2, and impacts all versions of kubelet, including 1.8.0 and newer.
Multiple vulnerabilities
“The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster,” Akamai explained. “To exploit this vulnerability, the attacker needs to apply malicious YAML files on the cluster.
A user, with the ability to create pods and persistent volumes on Windows nodes, could elevate their privileges to admin status on those nodes, Kubernetes explained on GitHub. As a result, they might be able to completely take over all Windows nodes in a cluster.
The vulnerability was patched in mid-November last year, so make sure you bring your kubelet to one of these versions:
v1.28.4 v1.27.8 v1.26.11 v1.25.16
In September 2023, Akamai’s researchers found a similar flaw – a command injection vulnerability that could be exploited with a malicious YAML file in the cluster. That flaw, now tracked as CVE-2023-3676, and with a severity score of 8.8, was the one that paved the way for today’s findings, the researchers explained.
“The lack of sanitization of the subPath parameter in YAML files that creates pods with volumes opens up an opportunity for a malicious injection,” they said. “This was the original finding, but at the tail end of that research, we noticed a potential place in the code that looked like it could lead to another command injection vulnerability. After several tries, we managed to achieve a similar outcome.”
For businesses, verifying Kubernetes configuration YAMLs is “crucial”, as input sanitization is “lacking in several code areas in Kubernetes itself”.
Via The Hacker News
