Kubernetes Advises Users to Patch Command Injection FlawsLatest Release Fixes 3 High-Severity Flaws; Akamai Releases Proof-of-Concept Code
Researchers are warning all Kubernetes users to immediately update their clusters to patch a trio of critical command injection vulnerabilities attackers can use to remotely execute code.
One of the vulnerabilities, tracked as CVE-2023-3676, can be exploited by anyone who has "apply" privileges allowing them to interact with a Kubernetes API, cloud services firm Akamai warned in a blog post that contains proof-of-concept code for exploiting the flaw.
"A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes," according to the Kubernetes change log. "Kubernetes clusters are only affected if they include Windows nodes."
Introduced by Google in 2014, Kubernetes is an open-source container orchestration system designed to automate software deployment, scaling and management. The system is now maintained by the Cloud Native Computing Foundation.
Designed to be a more lightweight and flexible alternative to virtual machines, Kubernetes relies on clusters - sets of nodes that run containerized applications. Clusters can run across multiple machines and types of environments, including physical and virtual systems located on-premises and in the cloud.
In Kubernetes-speak, pods are abstractions of executable code, while nodes are abstractions of hardware. Pods can consist of one or more containers.
Recommendation: Update to Latest Version
"To exploit this vulnerability, the attacker needs to apply a malicious YAML file on the cluster," Akamai said. YAML is a digestible data serialization language often used to create configuration profiles for programming languages, including Kubernetes.
To eliminate the vulnerability, Kubernetes advised users update to version 1.28.1, released on Aug. 23, which fixes the flaw outright. The patched version was pushed just nine days after the Aug. 15 release of version 1.28.
All versions of Kubernetes prior to 1.28.1 contain the flaw.
Akamai said the vulnerability was discovered by Tomer Peled, one of its security researchers, who reported it to the Kubernetes team on July 13. Kubernetes assigned the vulnerability a CVE on July 19 and released CVE fixes on Aug. 23, meaning it patched the flaw - plus two other, similar ones it then discovered - in just nine weeks.
Akamai warned in a blog post that the "high-impact" vulnerability is easy to exploit. "This vulnerability can be exploited on default installations of Kubernetes, and was tested against both on-prem deployments and Azure Kubernetes Service," it said. "In fact, the only limiting factor with this vulnerability is its scope - it is restricted to Windows nodes, which are not very popular today."
Kubernetes eliminated the flaw in version 1.28.1 by passing "environment variables" - predefined and limited variables - to validate every variable contained in a YAML file, thus sanitizing the input. Environment variables get treated as string variables, meaning they're limited to expected inputs.
The previous approach accepted arbitrary input, which got treated as a PowerShell expression meant to determine if a supplied path was a symlink, meaning a symbolic link, Akamai said. Attackers could inject arbitrary code by sending a YAML file to the API with arbitrary inputs.
Similar Flaws Also Found and Patched
When responding to Peled's bug report and updating Kubernetes to fix the flaw, Microsoft's James Sturtevant, principal software engineering lead, and Mark Rossetti, principal software engineer, discovered two more command injection vulnerabilities. These have been designated CVE-2023-3955 and CVE-2023-3893 and also were patched via the Aug. 23 release of Kubernetes version 1.28.1.
"Full mitigation for this class of issues requires patches applied for CVE-2023-3676, CVE-2023-3955 and CVE-2023-3893," Kubernetes said in its security advisories. "Outside of applying the patch, there are no known mitigations" that will otherwise completely block these vulnerabilities from being exploited, it said.
Akamai said if users cannot update to a patched version, there are other ways to potentially mitigate the threat. Researchers detailed three approaches: using role-based access controls to limit who can create pods, using the open-source Open Policy Agent to take policy-based actions on data entering and exiting nodes, and disabling
volume.subpath to block an attacker from abusing the symlink creation capability, although disabling this might break needed production functionality.