A high-severity vulnerability in Kubernetes can be exploited to achieve remote code execution (RCE) on all Windows endpoints within the cluster, Akamai’s security researchers warn.
Tracked as CVE-2023-3676 (CVSS score of 8.8), the vulnerability impacts Kubernetes’ processing of YAML files, which are used within the container orchestration system for configuration, management, secret handling, and more.
Kubernetes relies on YAML for cluster configuration, and vulnerabilities in YAML files have been subject to numerous research projects over the past years.
Using previously identified vulnerabilities as a starting point for new research, Akamai discovered that an attacker with ‘apply’ privileges could inject code to be executed on the Windows machines within the Kubernetes cluster with System privileges.
The issue, Akamai explains, is related to how Kubernetes’ kubelet service processes YAML files containing information on where a shared directory (between the pod and the host) can be mounted.
By using a subPath subproperty, a user can mount a shared directory or file to a desired location, and kubelet validates the parameters in the YAML file to ensure that no symlinks are created when using subPath.
“The function takes as a parameter the subPath that was supplied by the user in the YAML file. It then uses this path to create a PowerShell command meant to determine the path type. The formatted PowerShell command is then immediately invoked by the ‘exec.Command’ function call,” Akamai explains.
The presence of this command and of unsanitized user-supplied input leads to a command injection bug that an attacker can exploit to insert any PowerShell command or threat.
“An attacker can abuse this subPath evaluation to reach the vulnerable code and execute any command they want with SYSTEM privileges (kubelet’s own context) from remote nodes, and gain control over all Windows nodes in the cluster,” Akamai explains.
Akamai, which has published a proof-of-concept (PoC) YAML file and a video showcasing the code’s execution, says that the discovery of this vulnerability led to the identification of more command injection flaws in Kubernetes, which are collectively tracked as CVE-2023-3955 and CVE-2023-3893.
After the bugs were patched, Kubernetes started “passing parameters from environment variables instead of from user input”, meaning that they are treated as strings, instead of being evaluated as expressions by PowerShell, Akamai explains.
CVE-2023-3676 impacts all Kubernetes versions below 1.28. Users are advised to update their instances as soon as possible.
Recommended workarounds include disabling the use of Volume.Subpath, using the Open Policy Agent (OPA) open source agent to create rules to block certain YAML files, and employing role-based access control (RBAC) to limit the number of users who can perform actions on a cluster.
“CVE-2023-3676 requires low privileges and, therefore, sets a low bar for attackers: All they need to have is access to a node and apply privileges. High impact coupled with ease of exploitation usually means that there is a higher chance of seeing this attack (and similar attacks) on organizations,” Akamai notes.
Related: Attackers Abuse Kubernetes RBAC to Deploy Persistent Backdoor
Related: Dero, Monero Cryptojackers Fighting for Same Kubernetes Clusters
Related: Over 380,000 Kubernetes API Servers Exposed to Internet: Shadowserver
