Kubernetes RCE Vulnerability Allows Remote Code Execution
Tomer Peled, an Akamai cybersecurity security researcher, recently discovered a Kubernetes RCE vulnerability that allows threat actors to remotely execute code on Windows endpoints. Not only this but the threat actors can have full system privileges while executing the code.
Peled explained how the Kubernetes volumes can be exploited, which can result in a complete takeover of Windows nodes inside a Kubernetes cluster. This Kubernetes RCE vulnerability is tracked as CVE-2023-5528 and has a CVSS score of 7.2. The Kubernetes volumes feature supports data sharing between pods on a Kubernetes cluster, or it stores the data outside the lifecycle of a pod.
In this article, we will discuss various aspects of the Kubernetes RCE vulnerability and its patching of this flaw.
How Does The Exploitation of Kubernetes RCE Vulnerability Work?
According to Peled, exploitation of this particular vulnerability is quite easy. In order to get the admin privileges, the creation of pods and persistent Kubernetes volumes on Windows nodes will be required by cybersecurity threat actors. The system privileges will be confined to the concerned nodes only. YAML files are used by the Kubernetes framework. Only the use of an in-tree storage plugin for Windows can make Kubernetes clusters vulnerable.
However, what assists the attackers to create different attack scenarios is volume types which result in different attack scenarios. The vulnerable versions of Kubernetes include all the default installations that are running on a version earlier than 1.28.4. Peled also said that the exploitation of the Kubernetes RCE vulnerability was likely to increase because of the fact that the flaw was present in the source code.
What Led To The Discovery of Kubernetes RCE Flaw?
Investigation of another vulnerability in Kubernetes helped in the discovery of CVE-2023-5528 flaw. Both of these recent Kubernetes vulnerabilities had the same root cause behind them, that was, lack of user input sanitization and insecure function calls.
The earlier vulnerability, termed CVE-2023-3676, could be taken advantage of by the application of a malicious YAML file onto the Kubernetes cluster. This discovery led to the uncovering of two other vulnerabilities, and towards the end of this investigation, CVE-2023-5528 was discovered.
Kubernetes Exploit Mitigation
Windows’ Command Prompt (cmd) has the ability to allow several commands in the same line. Therefore, controlling one parameter in the cmd execution can mean execution of the command injection vulnerability. The injection can be placed in the storage space that a user can ask for using a persistentVolumeClaim. The patch mitigates the chances of command injection by the deletion of the cmd call and its replacement with a native GO function. The GO function performs the same operation as the cmd call.
Conclusion
The discovery of the latest Kubernetes RCE vulnerability warrants that enterprises must always verify Kubernetes configuration YAMLs before deploying Kubernetes. This is because several code areas in Kubernetes lack user input sanitization making it vulnerable to exploitations. Cybersecurity concerns like Kubernetes remote code execution must always be taken seriously and addressed using robust cybersecurity measures.
The sources for this piece include articles in Dark Reading and The Hacker News.