Particulars have been made public a few now-patched high-severity flaw in Kubernetes that would enable a malicious attacker to realize distant code execution with elevated privileges below particular circumstances.
“The vulnerability permits distant code execution with SYSTEM privileges on all Home windows endpoints inside a Kubernetes cluster,” Akamai safety researcher Tomer Peled mentioned. “To use this vulnerability, the attacker wants to use malicious YAML recordsdata on the cluster.”
Tracked as CVE-2023-5528 (CVSS rating: 7.2), the shortcoming impacts all variations of kubelet, together with and after model 1.8.0. It was addressed as a part of updates launched on November 14, 2023, within the following variations –
- kubelet v1.28.4
- kubelet v1.27.8
- kubelet v1.26.11, and
- kubelet v1.25.16
“A safety problem was found in Kubernetes the place a person that may create pods and protracted volumes on Home windows nodes might be able to escalate to admin privileges on these nodes,” Kubernetes maintainers mentioned in an advisory launched on the time. “Kubernetes clusters are solely affected if they’re utilizing an in-tree storage plugin for Home windows nodes.”
Profitable exploitation of the flaw may lead to a whole takeover of all Home windows nodes in a cluster. It is price noting that one other set of comparable flaws was beforehand disclosed by the online infrastructure firm in September 2023.
The difficulty stems from using “insecure perform name and lack of person enter sanitization,” and pertains to function known as Kubernetes volumes, specifically leveraging a quantity sort referred to as native volumes that enable customers to mount disk partition in a pod by specifying or making a PersistentVolume.
“Whereas making a pod that features a native quantity, the kubelet service will (ultimately) attain the perform ‘MountSensitive(),'” Peled defined. “Inside it, there is a cmd line name to ‘exec.command,’ which makes a symlink between the situation of the quantity on the node and the situation contained in the pod.”
This offers a loophole that an attacker can exploit by making a PersistentVolume with a specifically crafted path parameter within the YAML file, which triggers command injection and execution by utilizing the “&&” command separator.
“In an effort to take away the chance for injection, the Kubernetes staff selected to delete the cmd name, and substitute it with a local GO perform that may carry out the identical operation ‘os.Symlink(),” Peled mentioned of the patch put in place.
The disclosure comes as a important safety flaw found within the end-of-life (EoL) Zhejiang Uniview ISC digicam mannequin 2500-S (CVE-2024-0778, CVSS rating: 9.8) is being exploited by risk actors to drop a Mirai botnet variant known as NetKiller that shares infrastructure overlaps with a distinct botnet named Condi.
“The Condi botnet supply code was launched publicly on Github between August 17 and October 12, 2023,” Akamai mentioned. “Contemplating the Condi supply code has been obtainable for months now, it’s seemingly that different risk actors […] are utilizing it.”