As per recent reports, Kubernetes has been discovered with a remote code execution vulnerability, which could allow a threat actor to execute code on the affected Windows endpoints inside a Kubernetes Cluster with SYSTEM privileges.
To exploit this vulnerability, the threat actor must have “apply” privileges on Kubernetes, which is needed to interact with the Kubernetes API.
Exploitation takes place via a malicious YAML file on the cluster. This vulnerability has a CVE ID of CVE-2023-3676 and a CVSS score of 8.8 (High).
Previous YAML and Kubernetes Exploitation
Kubernetes uses YAML files for almost everything, from configuring, automated deployment, scaling, and managing containerized applications pod management, and many others.
CVE-2022-1471, which existed in the constructor of SnakeYAML and led to remote code execution in vulnerable applications, was found in 2022.
Kubernetes themselves discovered many vulnerabilities like CVE-2021-25749 (run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true), CVE-2017-1002101 and CVE-2021-25741 (race conditions and symlinks in conjunction with the subPath subproperty in a YAML file).
With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.
According to the reports shared with Cyber Security News, When creating a pod, users can also create a shared directory between the pod and the host called “volumes.”
To enable the volumes, the YAML file needs to be added with the volume parameter along with mountPath (location of the container) and hostPath (location of the host).
The subPath subproperty can also be used to mount the shared directory in a chosen location.
This YAML file is then parsed by kubelet, which validates every parameter in the YAML file and ensures no symlinks are created on the subPath parameter using the help of isLinkPath inner function.
The subPath subproperty on the YAML file is taken as a parameter and creates a PowerShell command to find the path type. This PowerShell command is then sent to the exec. Command function call.
Further investigation revealed that “exec.Command” can be combined with unsanitized user-supplied input, leading to a command injection vulnerability.
Akamai has published a complete report on this vulnerability, which provides detailed information about the exploitation method, patch analysis, mitigations, and a Github repository containing the proof-of-concept for this vulnerability.
It is recommended for organizations to upgrade to the latest version of Kubernetes to prevent this vulnerability from getting exploited.