Patching a high-severity vulnerability in Kubernetes first disclosed in November is now more urgent, with Akamai publishing an explainer of the bug, complete with exploit demonstration.
CVE-2023-5528 arises from “insufficient input sanitisation in [an] in-tree storage plug-in” which offers a path to privilege escalation.
As the National Vulnerability Database explained, “a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes”.
According to a blog post published by Akamai on March 13, the bug affects Kubernetes versions earlier than the November 14 patch, 1.28.4.
“The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster,” Akamai said.
“To exploit this vulnerability, the attacker needs to apply malicious YAML files on the cluster.”
A successful exploit can give an attacker full takeover of “all Windows nodes on a cluster”.
The vulnerability arises, Akamai said, is a lack of sanitisation in the subPath parameter in YAML files, leading to the malicious injection opportunity.
“Input sanitisation is lacking in several code areas in Kubernetes itself and its sidecar projects,” Akamai noted.
The Kubernetes GitHub post noted that audit logs in Kubernetes “can be used to detect if this vulnerability is being exploited.
“Persistent Volume create events with local path fields containing special characters are a strong indication of exploitation.”