Particulars have been made public a couple of now-patched high-severity flaw in Kubernetes that would permit a malicious attacker to attain distant code execution with elevated privileges below particular circumstances.
“The vulnerability permits distant code execution with SYSTEM privileges on all Home windows endpoints inside a Kubernetes cluster,” Akamai security researcher Tomer Peled mentioned. “To use this vulnerability, the attacker wants to use malicious YAML recordsdata on the cluster.”
Tracked as CVE-2023-5528 (CVSS rating: 7.2), the shortcoming impacts all variations of kubelet, together with and after model 1.8.0. It was addressed as a part of updates launched on November 14, 2023, within the following variations –
- kubelet v1.28.4
- kubelet v1.27.8
- kubelet v1.26.11, and
- kubelet v1.25.16
“A security challenge was found in Kubernetes the place a consumer that may create pods and protracted volumes on Home windows nodes could possibly escalate to admin privileges on these nodes,” Kubernetes maintainers mentioned in an advisory launched on the time. “Kubernetes clusters are solely affected if they’re utilizing an in-tree storage plugin for Home windows nodes.”
Profitable exploitation of the flaw might end in a whole takeover of all Home windows nodes in a cluster. It is price noting that one other set of comparable flaws was beforehand disclosed by the net infrastructure firm in September 2023.
The problem stems from the usage of “insecure perform name and lack of consumer enter sanitization,” and pertains to function known as Kubernetes volumes, specifically leveraging a quantity kind often called native volumes that permit customers to mount disk partition in a pod by specifying or making a PersistentVolume.
“Whereas making a pod that features a native quantity, the kubelet service will (ultimately) attain the perform ‘MountSensitive(),'” Peled defined. “Inside it, there is a cmd line name to ‘exec.command,’ which makes a symlink between the situation of the amount on the node and the situation contained in the pod.”
This offers a loophole that an attacker can exploit by making a PersistentVolume with a specifically crafted path parameter within the YAML file, which triggers command injection and execution by utilizing the “&&” command separator.
“In an effort to take away the chance for injection, the Kubernetes group selected to delete the cmd name, and change it with a local GO perform that can carry out the identical operation ‘os.Symlink(),” Peled mentioned of the patch put in place.
The disclosure comes as a essential security flaw found within the end-of-life (EoL) Zhejiang Uniview ISC digital camera mannequin 2500-S (CVE-2024-0778, CVSS rating: 9.8) is being exploited by menace actors to drop a Mirai botnet variant known as NetKiller that shares infrastructure overlaps with a distinct botnet named Condi.
“The Condi botnet supply code was launched publicly on Github between August 17 and October 12, 2023,” Akamai mentioned. “Contemplating the Condi supply code has been out there for months now, it’s seemingly that different menace actors […] are utilizing it.”
