Monday, February 10, 2025
HomeCVE/vulnerabilityKubernetes Vulnerability Let Attackers Take Full System Control

Kubernetes Vulnerability Let Attackers Take Full System Control

Published on

SIEM as a Service

Follow Us on Google News

A new vulnerability, CVE-2023-5528, has been discovered with Kubernetes. This vulnerability is associated with a command injection vulnerability that leads to remote code execution with SYSTEM-level privileges on the compromised Windows node. The severity for this vulnerability has been given as 7.2 (High).

Several prerequisites are required for a threat actor to exploit this vulnerability, including applying malicious YAML files to the cluster, access to create a persistent volume that can be utilized during the command injection process, and some level of user privilege on the affected Kubernetes cluster.

Two additional vulnerabilities with the same underlying cause were identified subsequent to the identification of this one: an insecure function call and inadequate user input sanitization.

Document

Free Webinar: Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

Technical Analysis

According to the Akamai report shared with Cyber Security News, this vulnerability is linked with another previously disclosed vulnerability, CVE-2023-3676, related to another command injection vulnerability.

Both of these vulnerabilities were present on the Kubernetes cluster due to insecure function calls and a lack of user input sanitization.

Further analysis revealed that these command injections existed because of the lack of sanitization on the subPath parameter in YAML files, which uses the Kubelet service to execute commands with SYSTEM-level privileges.

In addition, there was an insecure function MountSensitive() with a cmd line call to “exec.command”. 

Vulnerable cmd line code (Source: Akamai)

This function makes a symlink between the location of the volume on the node and the location inside the pod.

However, since it uses a Windows command prompt, the cmd terminal concatenation can be utilized to execute additional commands alongside the original parameter. 

Local Volume And Persistent Volume

The exploitation involves the use of local volume type and persistent volume.

Local volumes are used to allow users to mount disk partitions inside a path, whereas persistent volumes are storage resources that a cluster admin can create to provide a storage space that will last even after the lifetime of the pod.

Once a persistentVolume is created, users can ask for storage space using a persistentVolumeClaim function.

It is worth denoting that Kubernetes uses YAML files for almost all of the functions inside the Kubernetes.

Hence, in this case, the local.path parameter inside a YAML file can be supplied with malicious commands executed during the mounting process.

Malicious command injection exploitability (Source: Akamai)

This vulnerability can be exploited on default installations of Kubernetes (earlier than version 1.28.4), and was tested against both on-prem deployments and Azure Kubernetes Service.

Patch Analysis And Mitigation Steps

Kubernetes has acted swiftly upon this vulnerability and has deleted the cmd line function. They have replaced it with a native Go function that only performs the symlink operation.

This vulnerability affects the Kubernetes version earlier than 1.28.4. It is recommended that organizations upgrade their Kubernetes to the latest version to prevent the exploitation of this vulnerability.

The below command can be executed to check if your Kubernetes has been affected.

root@controller:~/$ kubectl get nodes -o wide –show-labels | grep “os=windows”

  akswin000000                        Ready    agent   4d17h   v1.26.6   agentpool=win,beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=windows…

  akswin000001                        Ready    agent   4d17h   v1.26.6   agentpool=win,beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=windows…

  root@controller:~/$

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

Tor Browser 14.0.6 Released, What’s New!

The Tor Project has officially unveiled Tor Browser 14.0.6, now accessible for download from the...

Hackers Exploit AnyDesk Vulnerability to Gain Admin Access – PoC Released

A newly discovered vulnerability in AnyDesk, the popular remote desktop software, has sparked serious...

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Exploit AnyDesk Vulnerability to Gain Admin Access – PoC Released

A newly discovered vulnerability in AnyDesk, the popular remote desktop software, has sparked serious...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...