Hello Kubernetes Community,
A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.
Am I vulnerable?
Any kubernetes environment with Windows nodes is impacted. Run
kubectl get nodes -l kubernetes.io/os=windows to see if any Windows nodes are in use.
kubelet <= v1.28.0
kubelet <= v1.27.4
kubelet <= v1.26.7
kubelet <= v1.25.12
kubelet <= v1.24.16
How do I mitigate this vulnerability?
The provided patch fully mitigates the vulnerability and has no known side effects. Full mitigation for this class of issues requires patches applied for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.
Outside of applying the provided patch, there are no known mitigations to this vulnerability.
These releases will be published over the course of today, August 23rd, 2023.
To upgrade, refer to the documentation:
Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded powershell commands are a strong indication of exploitation. Config maps and secrets that contain embedded powershell commands and are mounted into pods are also a strong indication of exploitation.
If you find evidence that this vulnerability has been exploited, please contact email@example.com
See the GitHub issue for more details: CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation · Issue #119339 · kubernetes/kubernetes · GitHub
This vulnerability was reported by Tomer Peled @tomerpeled92
The issue was fixed and coordinated by the fix team:
James Sturtevant @jsturtevant
Mark Rossetti @marosset
Andy Zhang @andyzhangx
Justin Terry @jterry75
Kulwant Singh @KlwntSingh
Micah Hausler @micahhausler
Rita Zhang @ritazh
and release managers:
Jeremy Rickard @jeremyrickard
Rita Zhang on behalf of the Kubernetes Security Response Committee