Kubernetes Command Injection Flaw let Attackers Execute Code With SYSTEM privileges

As per recent reports, Kubernetes has been discovered with a remote code execution vulnerability, which could allow a threat actor to execute code on the affected Windows endpoints inside a Kubernetes Cluster with SYSTEM privileges.

To exploit this vulnerability, the threat actor must have “apply” privileges on Kubernetes, which is needed to interact with the Kubernetes API.

EHA

Exploitation takes place via a malicious YAML file on the cluster. This vulnerability has a CVE ID of CVE-2023-3676 and a CVSS score of 8.8 (High).

Previous YAML and Kubernetes Exploitation

Kubernetes uses YAML files for almost everything, from configuring, automated deployment, scaling, and managing containerized applications pod management, and many others.

CVE-2022-1471, which existed in the constructor of SnakeYAML and led to remote code execution in vulnerable applications, was found in 2022. 

Kubernetes themselves discovered many vulnerabilities like CVE-2021-25749 (run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true), CVE-2017-1002101 and CVE-2021-25741 (race conditions and symlinks in conjunction with the subPath subproperty in a YAML file).

Document
Get a Demo

Start protecting your SaaS data in just a few minutes!

With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.

Vulnerability Description

According to the reports shared with Cyber Security News, When creating a pod, users can also create a shared directory between the pod and the host called “volumes.”

To enable the volumes, the YAML file needs to be added with the volume parameter along with mountPath (location of the container) and hostPath (location of the host). 

The subPath subproperty can also be used to mount the shared directory in a chosen location.

description
YAML Configuration (Source: Akamai)

This YAML file is then parsed by kubelet, which validates every parameter in the YAML file and ensures no symlinks are created on the subPath parameter using the help of isLinkPath inner function.

command
IsLinkPath function (Source: Akamai)

The subPath subproperty on the YAML file is taken as a parameter and creates a PowerShell command to find the path type. This PowerShell command is then sent to the exec. Command function call.

Further investigation revealed that “exec.Command” can be combined with unsanitized user-supplied input, leading to a command injection vulnerability.

Akamai has published a complete report on this vulnerability, which provides detailed information about the exploitation method, patch analysis, mitigations, and a Github repository containing the proof-of-concept for this vulnerability.

It is recommended for organizations to upgrade to the latest version of Kubernetes to prevent this vulnerability from getting exploited.

Keep informed about the latest cybersecurity news by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.