Researchers Outline Kubernetes Vulnerability Allowing Windows Node Takeover


A high-severity flaw in Kubernetes has been disclosed, allowing a malicious attacker to achieve remote code execution with elevated privileges in certain scenarios. Akamai security researcher Tomer Peled revealed that the vulnerability permits remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster. Exploiting this flaw requires the attacker to apply malicious YAML files on the cluster.

Tracked as CVE-2023-5528 with a CVSS score of 7.2, the vulnerability affects all versions of kubelet, including and after version 1.8.0. Kubernetes maintainers addressed the issue in updates released on November 14, 2023, including kubelet versions 1.28.4, 1.27.8, 1.26.11, and 1.25.16. The flaw allows a user who can create pods and persistent volumes on Windows nodes to escalate to admin privileges on those nodes, but only Kubernetes clusters using an in-tree storage plugin for Windows nodes are impacted.

Successful exploitation of the vulnerability could lead to a complete takeover of all Windows nodes in a cluster. The flaw stems from an insecure function call and lack of user input sanitization, particularly in the Kubernetes volumes feature. Peled explained that a loophole exists when creating a pod with a local volume, where the kubelet service eventually reaches the "MountSensitive()" function, triggering a cmd line call to "exec.command" that makes a symlink between the volume's location on the node and inside the pod. This allows an attacker to exploit command injection by using the "&&" command separator in a specially crafted PersistentVolume YAML file.

To address the injection opportunity, the Kubernetes team replaced the cmd call with a native GO function, os.Symlink(). In other security news, a critical flaw in the Zhejiang Uniview ISC camera model 2500-S (CVE-2024-0778, CVSS score: 9.8) is being exploited by threat actors to deploy a Mirai botnet variant called NetKiller. This variant shares infrastructure overlaps with the Condi botnet, whose source code was publicly released on GitHub between August 17 and October 12, 2023. The availability of the Condi source code suggests that other threat actors may be utilizing it for malicious purposes.