There has been a revelation about a fixed high-severity flaw in Kubernetes that could lead to remote code execution with elevated privileges in specific cases.
“The vulnerability enables remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster,” Akamai security researcher Tomer Peled stated. “To exploit this vulnerability, the attacker must deploy malicious YAML files on the cluster.”
Identified as CVE-2023-5528 (CVSS score: 7.2), this flaw impacts all versions of kubelet, starting from version 1.8.0 and beyond. The fix was included in updates released on November 14, 2023, in versions such as –
- kubelet v1.28.4
- kubelet v1.27.8
- kubelet v1.26.11, and
- kubelet v1.25.16
“A security problem was detected in Kubernetes where a user with the ability to create pods and persistent volumes on Windows nodes might be able to escalate to admin privileges on those nodes,” as per Kubernetes maintainers announcement at that time. “Kubernetes clusters are impacted only if they use an in-tree storage plugin for Windows nodes.”
An exploit of the flaw could lead to full control over all Windows nodes in a cluster. It is worth mentioning that a similar set of vulnerabilities was disclosed by the web infrastructure company in September 2023.
The root cause lies in the use of “insecure function call and lack of user input sanitization,” related to a feature called Kubernetes volumes, particularly employing a volume type known as local volumes that allow users to mount disk partition in a pod by specifying or creating a PersistentVolume.
“When creating a pod containing a local volume, the kubelet service will eventually reach the ‘MountSensitive()’ function,” Peled elaborated. “Within it, there’s a cmd line call to ‘exec.command,’ which establishes a symlink between the volume location on the node and the location inside the pod.”
This presents an opportunity for an attacker to exploit by creating a PersistentVolume with a specifically crafted path parameter in the YAML file, triggering command injection and execution using the “&&” command separator.
“To eliminate the injection opportunity, the Kubernetes team decided to remove the cmd call and replace it with a native GO function that will perform the same operation ‘os.Symlink(),” Peled mentioned regarding the implemented patch.
This revelation comes as a critical security flaw in the Zhejiang Uniview ISC camera model 2500-S, which has reached end-of-life (EoL) (CVE-2024-0778, CVSS score: 9.8), is being exploited by threat actors to deploy a Mirai botnet variant called NetKiller that shares infrastructure overlaps with a botnet named Condi.
“The Condi botnet source code was publicly released on Github between August 17 and October 12, 2023,” Akamai explained. “Considering the availability of the Condi source code for months, it is probable that other threat actors […] are utilizing it.”