A significant vulnerability recently disclosed in Kubernetes has raised alarms due to its potential for enabling remote code execution with elevated privileges. This vulnerability, labeled as CVE-2023-5528, affects all kubelet versions from 1.8.0 onwards and has been assigned a CVSS score of 7.2, indicating its severity.

According to Akamai security researcher Tomer Peled, this vulnerability can allow malicious actors to exploit Kubernetes clusters by applying specially crafted YAML files. Specifically, it grants SYSTEM privileges to remote code execution across all Windows endpoints within the cluster. Kubernetes maintainers have noted that the clusters in question are only vulnerable if they utilize in-tree storage plugins designed for Windows nodes.

The flaw was addressed in updates released on November 14, 2023, with patched versions including kubelet v1.28.4, v1.27.8, v1.26.11, and v1.25.16. The Kubernetes advisory reveals a security oversight that could permit a user, capable of creating pods and persistent volumes on Windows nodes, to escalate their privileges to an admin level.

This weakness stems from the insecure function calls and inadequate sanitization of user input associated with Kubernetes volumes, particularly local volumes. An attacker could create a PersistentVolume with a malicious path parameter in the YAML configuration that triggers command injection. Peled explained that during the process of pod creation that involves local volumes, a command in the kubelet service made a symlink between the disk partition’s location on the node and the pod’s internal location.

To mitigate the risk of exploitation, the Kubernetes team has replaced the command call that allowed for this exploit with a native Go function, ‘os.Symlink()’, thus closing the avenue for command injection.

The urgency of this disclosure is underscored by a concurrent security issue affecting the Zhejiang Uniview ISC camera model 2500-S, which has been found to be exploited by threat actors using a variant of the Mirai botnet known as NetKiller. This botnet exemplifies a broader trend of leveraging public source code for malicious purposes.

Considering the complexity of the attack vector and the timing of its announcement, organizations operating Kubernetes clusters, particularly those based in the U.S., should prioritize updating their systems to the patched versions. The attack methods align with several tactics outlined in the MITRE ATT&CK framework, including initial access through exploiting a weakness in Kubernetes deployment configurations, as well as privilege escalation via command injection. As the cybersecurity landscape continues to evolve, vigilance in patch management and system configuration remains paramount for safeguarding against potential exploits.