A high-severity vulnerability in Kubernetes may be exploited to realize distant code execution (RCE) on all Home windows endpoints throughout the cluster, Akamai’s security researchers warn.
Tracked as CVE-2023-3676 (CVSS rating of 8.8), the vulnerability impacts Kubernetes’ processing of YAML recordsdata, that are used throughout the container orchestration system for configuration, administration, secret dealing with, and extra.
Kubernetes depends on YAML for cluster configuration, and vulnerabilities in YAML recordsdata have been topic to quite a few analysis tasks over the previous years.
Utilizing beforehand recognized vulnerabilities as a place to begin for brand spanking new analysis, Akamai found that an attacker with ‘apply’ privileges may inject code to be executed on the Home windows machines throughout the Kubernetes cluster with System privileges.
The difficulty, Akamai explains, is said to how Kubernetes’ kubelet service processes YAML recordsdata containing data on the place a shared listing (between the pod and the host) may be mounted.
Through the use of a subPath subproperty, a person can mount a shared listing or file to a desired location, and kubelet validates the parameters within the YAML file to make sure that no symlinks are created when utilizing subPath.
“The perform takes as a parameter the subPath that was provided by the person within the YAML file. It then makes use of this path to create a PowerShell command meant to find out the trail sort. The formatted PowerShell command is then instantly invoked by the ‘exec.Command’ perform name,” Akamai explains.
The presence of this command and of unsanitized user-supplied enter results in a command injection bug that an attacker can exploit to insert any PowerShell command or menace.
“An attacker can abuse this subPath analysis to succeed in the susceptible code and execute any command they need with SYSTEM privileges (kubelet’s personal context) from distant nodes, and acquire management over all Home windows nodes within the cluster,” Akamai explains.
Akamai, which has revealed a proof-of-concept (PoC) YAML file and a video showcasing the code’s execution, says that the invention of this vulnerability led to the identification of extra command injection flaws in Kubernetes, that are collectively tracked as CVE-2023-3955 and CVE-2023-3893.
After the bugs had been patched, Kubernetes began “passing parameters from setting variables as a substitute of from person enter”, which means that they’re handled as strings, as a substitute of being evaluated as expressions by PowerShell, Akamai explains.
CVE-2023-3676 impacts all Kubernetes variations under 1.28. Customers are suggested to replace their situations as quickly as doable.
Beneficial workarounds embody disabling using Quantity.Subpath, utilizing the Open Coverage Agent (OPA) open supply agent to create guidelines to dam sure YAML recordsdata, and using role-based entry management (RBAC) to restrict the variety of customers who can carry out actions on a cluster.
“CVE-2023-3676 requires low privileges and, due to this fact, units a low bar for attackers: All they should have is entry to a node and apply privileges. Excessive affect coupled with ease of exploitation often means that there’s a increased probability of seeing this assault (and related assaults) on organizations,” Akamai notes.
