oss-sec mailing list archives

[kubernetes] CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes

From: Craig Ingram <cjingram () google com>
Date: Tue, 14 Nov 2023 12:14:53 -0500

Hello Kubernetes Community,

A security issue was discovered in Kubernetes where a user that can create
pods and persistent volumes on Windows nodes may be able to escalate to
admin privileges on those nodes. Kubernetes clusters are only affected if
they are using an in-tree storage plugin for Windows nodes.

This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H>),
and assigned CVE-2023-5528.

Am I vulnerable?

Any kubernetes environment with Windows nodes is impacted.  Run kubectl get
nodes -l kubernetes.io/os=windows to see if any Windows nodes are in use.

Affected Versions

- kubelet >= v1.8.0 (including all later minor versions)

How do I mitigate this vulnerability?

The provided patch fully mitigates the vulnerability.

Outside of applying the patch, there are no known mitigations to this
vulnerability.

Fixed Versions

- kubelet v1.28.4

- kubelet v1.27.8

- kubelet v1.26.11

- kubelet v1.25.16

These releases will be published over the course of today, November 14,
2023.

To upgrade, refer to the documentation:

https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Detection

Kubernetes audit logs can be used to detect if this vulnerability is being
exploited. Persistent Volume create events with local path fields
containing special characters are a strong indication of exploitation.

If you find evidence that this vulnerability has been exploited, please
contact security () kubernetes io

Additional Details

See the GitHub issue for more details:
https://github.com/kubernetes/kubernetes/issues/121879

Acknowledgements

This vulnerability was reported by Tomer Peled @tomerpeled92

The issue was fixed and coordinated by the fix team:

James Sturtevant @jsturtevant

Mark Rossetti @marosset

Michelle Au @msau42

Jan Šafránek @jsafrane

Mo Khan @enj

Rita Zhang @ritazh

Micah Hausler @micahhausler

Sri Saran Balaji @SaranBalaji90

Craig Ingram @cji

and release managers:

Jeremy Rickard @jeremyrickard

Marko Mudrinić @xmudrii

Thank You,

Craig Ingram on behalf of the Kubernetes Security Response Committee

Current thread:

[kubernetes] CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes Craig Ingram (Nov 14)