[Security Advisory] CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation

Security_k8s.io · August 23, 2023, 2:31pm

Hello Kubernetes Community,

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

This issue has been rated HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - 8.8), and assigned CVE-2023-3676

Am I vulnerable?

Any kubernetes environment with Windows nodes is impacted. Run kubectl get nodes -l kubernetes.io/os=windows to see if any Windows nodes are in use.

Affected Versions

kubelet <= v1.28.0
kubelet <= v1.27.4
kubelet <= v1.26.7
kubelet <= v1.25.12
kubelet <= v1.24.16

How do I mitigate this vulnerability?

The provided patch fully mitigates the vulnerability and has no known side effects. Full mitigation for this class of issues requires patches applied for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.

Outside of applying the provided patch, there are no known mitigations to this vulnerability.

Fixed Versions

kubelet v1.28.1
kubelet v1.27.5
kubelet v1.26.8
kubelet v1.25.13
kubelet v1.24.17

These releases will be published over the course of today, August 23rd, 2023.

To upgrade, refer to the documentation:

https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Detection

Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded powershell commands are a strong indication of exploitation. Config maps and secrets that contain embedded powershell commands and are mounted into pods are also a strong indication of exploitation.

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Additional Details

See the GitHub issue for more details: CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation · Issue #119339 · kubernetes/kubernetes · GitHub

Acknowledgements

This vulnerability was reported by Tomer Peled @tomerpeled92

The issue was fixed and coordinated by the fix team:

James Sturtevant @jsturtevant

Mark Rossetti @marosset

Andy Zhang @andyzhangx

Justin Terry @jterry75

Kulwant Singh @KlwntSingh

Micah Hausler @micahhausler

Rita Zhang @ritazh

and release managers:

Jeremy Rickard @jeremyrickard

Thank You,

Rita Zhang on behalf of the Kubernetes Security Response Committee

Topic	Replies	Views
[Security Advisory] CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation Announcements	1596	August 23, 2023
[Security Advisory] CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes Announcements	983	November 14, 2023
[Security Advisory] CVE-2023-3893: Insufficient input sanitization on kubernetes-csi-proxy leads to privilege escalation Announcements	1352	August 23, 2023
[Security Advisory] CVE-2020-8559: Privilege escalation from compromised node to cluster Announcements	2073	July 15, 2020
[Security Advisory] CVE-2020-8557: Node disk DOS by writing to container /etc/hosts Announcements	1878	July 15, 2020

[Security Advisory] CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation

Related Topics