Connect with us

Hi, what are you looking for?


Cloud Security

Kubernetes Vulnerability Leads to Remote Code Execution

A high-severity vulnerability can be exploited to execute code remotely on any Windows endpoint within a Kubernetes cluster.

A high-severity vulnerability in Kubernetes can be exploited to achieve remote code execution (RCE) on all Windows endpoints within the cluster, Akamai’s security researchers warn.

Tracked as CVE-2023-3676 (CVSS score of 8.8), the vulnerability impacts Kubernetes’ processing of YAML files, which are used within the container orchestration system for configuration, management, secret handling, and more.

Kubernetes relies on YAML for cluster configuration, and vulnerabilities in YAML files have been subject to numerous research projects over the past years.

Using previously identified vulnerabilities as a starting point for new research, Akamai discovered that an attacker with ‘apply’ privileges could inject code to be executed on the Windows machines within the Kubernetes cluster with System privileges.

The issue, Akamai explains, is related to how Kubernetes’ kubelet service processes YAML files containing information on where a shared directory (between the pod and the host) can be mounted.

By using a subPath subproperty, a user can mount a shared directory or file to a desired location, and kubelet validates the parameters in the YAML file to ensure that no symlinks are created when using subPath.

“The function takes as a parameter the subPath that was supplied by the user in the YAML file. It then uses this path to create a PowerShell command meant to determine the path type. The formatted PowerShell command is then immediately invoked by the ‘exec.Command’ function call,” Akamai explains.

Advertisement. Scroll to continue reading.

The presence of this command and of unsanitized user-supplied input leads to a command injection bug that an attacker can exploit to insert any PowerShell command or threat.

“An attacker can abuse this subPath evaluation to reach the vulnerable code and execute any command they want with SYSTEM privileges (kubelet’s own context) from remote nodes, and gain control over all Windows nodes in the cluster,” Akamai explains.

Akamai, which has published a proof-of-concept (PoC) YAML file and a video showcasing the code’s execution, says that the discovery of this vulnerability led to the identification of more command injection flaws in Kubernetes, which are collectively tracked as CVE-2023-3955 and CVE-2023-3893.

After the bugs were patched, Kubernetes started “passing parameters from environment variables instead of from user input”, meaning that they are treated as strings, instead of being evaluated as expressions by PowerShell, Akamai explains.

CVE-2023-3676 impacts all Kubernetes versions below 1.28. Users are advised to update their instances as soon as possible.

Recommended workarounds include disabling the use of Volume.Subpath, using the Open Policy Agent (OPA) open source agent to create rules to block certain YAML files, and employing role-based access control (RBAC) to limit the number of users who can perform actions on a cluster.

“CVE-2023-3676 requires low privileges and, therefore, sets a low bar for attackers: All they need to have is access to a node and apply privileges. High impact coupled with ease of exploitation usually means that there is a higher chance of seeing this attack (and similar attacks) on organizations,” Akamai notes.

Related: Attackers Abuse Kubernetes RBAC to Deploy Persistent Backdoor

Related: Dero, Monero Cryptojackers Fighting for Same Kubernetes Clusters

Related: Over 380,000 Kubernetes API Servers Exposed to Internet: Shadowserver

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...