Details have been released about a now-patched high-severity flaw in Kubernetes that could allow a malicious attacker to achieve remote code execution with elevated privileges under certain circumstances.
“The vulnerability allows remote code execution with system privileges on all Windows endpoints within the Kubernetes cluster,” said Akamai security researcher Tomer Peled. “To exploit this vulnerability, an attacker would need to apply a malicious YAML file on the cluster.”
This flaw is tracked as CVE-2023-5528 (CVSS score: 7.2) and affects all versions of kubelet, including 1.8.0 and later versions. This issue has been resolved in the following versions as part of the update released on November 14, 2023 –
- Cubelite v1.28.4
- kubelet v1.27.8
- kubelet v1.26.11, and
- kubelet v1.25.16
“A security issue has been discovered in Kubernetes whereby users who can create Pods and persistent volumes on Windows nodes may be able to escalate to administrator privileges on those nodes,” Kubernetes maintainers said in an advisory at the time. “Kubernetes Clustering is only affected when using Windows nodes to store plug-ins within the tree.”
Successful exploitation of this flaw could result in a complete takeover of all Windows nodes in the cluster. Notably, the network infrastructure company previously revealed another set of similar flaws in September 2023.
The issue stems from the use of “unsafe function calls and lack of user input sanitization” and is related to a feature called Kubernetes volumes, specifically leveraging a volume type called local volumes that allows users to Specify or create a persistent volume to mount the disk partition in the pod.
“When creating a pod that contains a local volume, the kubelet service will (eventually) reach the function ‘MountSensitive()’,” Peled explained. “There is a command line call to ‘exec.command’ which creates a symbolic link between the volume location on the node and the location within the Pod.”
This provides a vulnerability that an attacker can exploit by using specially crafted path parameters in the YAML file to create a PersistentVolume, thereby triggering command injection and execution using the “&&” command delimiter.
“To eliminate the opportunity for injection, the Kubernetes team chose to remove the cmd call and replace it with a native GO function that will perform the same operation as ‘os.Symlink(),” Peled said of the installed patch.
This disclosure comes as a critical security flaw discovered in Zhejiang Uniview ISC camera model 2500-S (CVE-2024-0778, CVSS score: 9.8) is being exploited by threat actors to deliver the Mirai botnet. The variant called NetKiller overlaps with a different botnet’s shared infrastructure called Condi.
“Condi botnet source code was publicly released on Github between August 17 and October 12, 2023,” Akamai said. “Given that the Condi source code has been released for several months, it is likely that other threat actors […] is using it. “
