Asurgent cyber blog (English): Kubernetes Faces a Challenge: Guarding against new RCE vulns

• Tomer Peled – A security researcher at Akamai recently discovered a high-severity vulnerability in Kubernetes. This vulnerability has been reported at CVE-2023-3676
• Default installations of Kubernetes is vulnerable to this exploit both on-prem deployments and Azure Kubernetes Service.
• The security flaw allows an actor with SYSTEM privileges on every Windows endpoint present in a Kubernetes cluster to utilize this remote code execution. This vulnerability is deployed with the use of a YAML file, the file is deployed on the cluster.  

YAML

YAML is a human-readable data serialization language that is often used for writing configuration files. Data serialization is a process of translating data structures and objects into a format that can be stored or transmitted.
YAML is widely used in Kubernetes and is a best practice to use in configuration generally.

Pod

Pods are the smallest deployable units of computing that you can create and manage in Kubernetes.

Vulnerability

Tomer Peled from Akamai explains that PowerShell can be made to run inside a pod. A pod is like a small computer space in Kubernetes. This is done by configuring something called 'volumes,' which are like shared folders. To make this work you need to add a special instruction, called a 'volume parameter,' into a file written in a language called YAML. This file tells Kubernetes how to set up the pod.

Inside the YAML file, there is another setting called 'subPath.' This is where the problem lies. An attacker can use this 'subPath' setting to inject the PowerShell to do bad actions on the computer. Tomer Peled found that this 'subPath' was vulnerable to insecure function calls and a lack of user input sanitization.

The attacker needs to have access to a node and ‘apply’ authorization. If the actor has permission listed communication can be achieved with the Kubernetes API on the target. The attacker can then inject arbitrary code for execution on the remote Windows endpoint.

Full walkthrough POC can be read at Can't Be Contained: Finding a Command Injection Vulnerability in Kubernetes | Akamai

Mitigation

To mitigate this issue, make sure that your Kubernetes version is above 1.28.

If this is not possible, the Kubernetes admin in your organization can disable the Volume.Subpath. This will prevent the CVE’s listed below from being exploited on your cluster.

Sources:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3676

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3955

https://www.akamai.com/blog/security-research/kubernetes-critical-vulnerability-command-injection