Details have been made public of a now-patched high-severity flaw in Kubernetes that could allow an attacker to achieve remote code execution with elevated privileges under specific circumstances.
“The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster,” said Tomer Peled, security researcher at Akamai. “To exploit this vulnerability, the attacker must apply malicious YAML files on the cluster.”
Detected as CVE-2023-5528 (CVSS score: 7.2), the flaw impacts all versions of kubelet, including and after version 1.8.0. It was fixed as part of the updates released on November 14, 2023, in the following versions:
- kubelet v1.28.4
- kubelet v1.27.8
- kubelet v1.26.11 e
- kubelet v1.25.16
“A security issue has been discovered in Kubernetes where a user capable of creating persistent pods and volumes on Windows nodes may be able to escalate administrator privileges on those nodes,” Kubernetes maintainers said in a released advisory at the time. “Kubernetes clusters are only affected if they use an in-tree storage plugin for Windows nodes.”
Successful exploitation of the flaw could lead to the complete takeover of all Windows nodes in a cluster. It is worth noting that another set of similar flaws was previously revealed by the web infrastructure company in September 2023.
The issue stems from the use of “unsafe function calls and lack of sanitization of user input” and relates to the feature called Kubernetes volumes, which specifically takes advantage of a type of volume known as local volumes that allows users to mount the disk partition in a pod by specifying or creating a persistent volume.
“When creating a pod that includes a local volume, the kubelet service will (eventually) reach the ‘MountSensitive()’ function,” Peled explained. “Within it, there is a cmd line call to ‘exec.command’, which creates a symbolic link between the location of the volume on the node and the location within the pod.”
This provides a loophole that an attacker can exploit by creating a PersistentVolume with a specially crafted path parameter in the YAML file, which triggers command insertion and execution using the “&&” command separator.
“In an effort to eliminate the injection opportunity, the Kubernetes team chose to eliminate the cmd call and replace it with a native GO function that will perform the same ‘os.Symlink() operation,” Peled said of the patch in place.
The disclosure comes as a critical security flaw discovered in the end-of-life (EoL) of the Zhejiang Uniview ISC Model 2500-S camera (CVE-2024-0778, CVSS score: 9.8) is being exploited by threat actors to eliminate a variant Mirai botnet called NetKiller that shares infrastructure overlaps with a different botnet called Condi.
“The source code of the Condi botnet was released publicly on Github between August 17 and October 12, 2023,” Akamai said. “Considering that the Condi source code has been available for months now, it is likely that other threat actors […] they’re using it.”