Skip to content Skip to footer

Kubernetes Vulnerability Allows Remote Code Execution with System Privileges

A high-severity flaw in Kubernetes has been discovered, which could have allowed a malicious attacker to execute remote code with elevated privileges, particularly on all Windows endpoints within a Kubernetes cluster. The vulnerability has been tracked as -2023-5528, with a CVSS score of 7.2, and it affects all versions of Kubelet, including and after version 1.8.0. On November 14, 2023, updates were released to address the issues of kubelet v1.28.4, v1.27.8, v1.26.11, and v1.25.16. Akamai security researcher Tomer Peled identified and disclosed the flaw and explained that attackers could the vulnerability by applying malicious YAML files on the cluster.

According to Kubernetes maintainers, the security issue was discovered in Kubernetes, specifically when a user can create pods and persistent volumes on Windows nodes. In such a case, the user may be able to escalate to admin privileges on those nodes. However, Kubernetes clusters are only affected if they use an in-tree storage plugin for Windows nodes. Successful exploitation of the flaw could result in a complete takeover of all Windows nodes in a cluster.

The flaw has its roots in the use of an insecure function call and lack of user input sanitization, which is related to a feature called Kubernetes volumes. The feature uses a volume type known as local volumes that enable users to mount disk partitions in a pod by creating or specifying a persistent volume. When making a pod with a local volume, the kubelet service eventually reaches the function ‘MountSensitive(), inside which there is a cmd line call to ‘exec. Command,' which makes a symlink between the location of the volume on the node and the area inside the pod.

Attackers can this loophole by creating a PersistentVolume with a specially crafted path parameter in the YAML file. This triggers command injection and execution using the “&&” command separator. In response, Kubernetes deleted the cmd call and replaced it with a native GO function performing the same operation ‘os.Symlink().'

It's worth noting that the infrastructure company previously disclosed another set of similar flaws in September 2023. The issue stems from using in-tree storage plugins for Kubernetes, which enable users to mount disk partitions in a pod by creating or specifying a Persistent Volume.

Additionally, a critical security flaw discovered in the end-of-life () Zhejiang Uniview ISC camera model 2500-S (-2024-0778, CVSS score: 9.8) is currently being exploited by threat actors to drop a Mirai variant called NetKiller, which shares infrastructure overlaps with a different named Condi. Akamai reports that the Condi source code was released publicly on between August 17 and October 12, 2023. Considering that the Condi source code has been available for months now, it's likely that other threat actors are also using it.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Greetings, programs! Together we have achieved a great many things. We have created a vast, complex system.Clu

Deitasoft © 2024. All Rights Reserved.