Kubernetes Windows Nodes Flaw Let Attacks Gain Admin Privilege


As previously reported, three high-severity vulnerabilities in Kubernetes existed in Ingress controllers for NGINX. In addition to this, another high-severity vulnerability for Kubernetes Windows has been discovered. 

This new vulnerability has been given CVE-2023-5528 with a severity of 7.8 (High). This new vulnerability is based on three main things of Kubernetes: Windows nodes in Kubernetes, in-tree storage plugins, the CSI driver, and persistent volumes.

EHA

Cyber Security News received an exclusive report from Daniel Delson at KSOC, highlighting a critical vulnerability in the Windows Nodes for Kubernetes. The report revealed that the main issue behind this vulnerability was the significant lag in the development of the Windows Nodes, which were only added to Kubernetes in 2019 and still fall far behind their Linux counterparts.

Linux uses userIDs and groupIDs for object permissions, whereas Windows uses SIDs, ACLs, and usernames. Though there was Azure Kubernetes Service (AKS) which has been one of the biggest users of Kubernetes in Windows, Azure runs on a mix of Linux and Windows nodes.

The second component contributing to this vulnerability was the Kubernetes Container Storage Interface (CSI), which was introduced as an alternative to plugins inside the Kubernetes Codebase that are specific to different storage vendors.

Moreover, these storage vendors create CSI drivers integrated with the Kubernetes CSI to keep the code outside of Kubernetes and allow Kubernetes to work with these Storage vendors. 

Another component of contribution was PersistentVolume, which is a resource for a Kubernetes Cluster that can be pointed towards in-tree storage plugins such as AWS Elastic Block Store (EBS – not available in v1.27), Azure Disk (not available in v1.27), and many others.

CVE-2023-5528 – Working Principle

When an in-tree storage plugin for Windows Nodes has insufficient input sanitization, it could allow a user to gain administrative privileges on the cluster nodes if the user already possesses access to create pods and PersistentVolumes. 

Though the reason behind this issue is not sure, there is a possibility that the privileges granted to a user can become elevated in certain cases. One assumed reason behind this vulnerability was that in-tree plugins can grant the volume plugins the same privileges as Kubernetes components. 

Mitigation

This vulnerability was associated with Windows Nodes hence, if there is an in-tree storage plugin present, the Kubernetes CSI version is below 1.14, there is a possibility that this vulnerability might exist in the environment.

A complete report about this vulnerability has been published by KSOC which provides detailed information about this vulnerability and the concepts behind this.

Users of Kubernetes are recommended to use the latest version of Kubernetes CSI v1.27 to prevent this vulnerability from getting exploited by threat actors.

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.



Source link