Particulars have been made public a couple of now-patched high-severity flaw in Kubernetes that would permit a malicious attacker to realize distant code execution with elevated privileges beneath particular circumstances.
“The vulnerability permits distant code execution with SYSTEM privileges on all Home windows endpoints inside a Kubernetes cluster,” Akamai safety researcher Tomer Peled mentioned. “To take advantage of this vulnerability, the attacker wants to use malicious YAML recordsdata on the cluster.”
Tracked as CVE-2023-5528 (CVSS rating: 7.2), the shortcoming impacts all variations of kubelet, together with and after model 1.8.0. It was addressed as a part of updates launched on November 14, 2023, within the following variations –
- kubelet v1.28.4
- kubelet v1.27.8
- kubelet v1.26.11, and
- kubelet v1.25.16
“A safety challenge was found in Kubernetes the place a consumer that may create pods and chronic volumes on Home windows nodes could possibly escalate to admin privileges on these nodes,” Kubernetes maintainers mentioned in an advisory launched on the time. “Kubernetes clusters are solely affected if they’re utilizing an in-tree storage plugin for Home windows nodes.”
Profitable exploitation of the flaw may lead to an entire takeover of all Home windows nodes in a cluster. It is price noting that one other set of comparable flaws was beforehand disclosed by the online infrastructure firm in September 2023.
The difficulty stems from the usage of “insecure perform name and lack of consumer enter sanitization,” and pertains to function known as Kubernetes volumes, specifically leveraging a quantity kind often known as native volumes that permit customers to mount disk partition in a pod by specifying or making a PersistentVolume.
“Whereas making a pod that features a native quantity, the kubelet service will (ultimately) attain the perform ‘MountSensitive(),'” Peled defined. “Inside it, there is a cmd line name to ‘exec.command,’ which makes a symlink between the situation of the quantity on the node and the situation contained in the pod.”
This supplies a loophole that an attacker can exploit by making a PersistentVolume with a specifically crafted path parameter within the YAML file, which triggers command injection and execution by utilizing the “&&” command separator.
“In an effort to take away the chance for injection, the Kubernetes group selected to delete the cmd name, and substitute it with a local GO perform that can carry out the identical operation ‘os.Symlink(),” Peled mentioned of the patch put in place.
The disclosure comes as a important safety flaw found within the end-of-life (EoL) Zhejiang Uniview ISC digicam mannequin 2500-S (CVE-2024-0778, CVSS rating: 9.8) is being exploited by menace actors to drop a Mirai botnet variant known as NetKiller that shares infrastructure overlaps with a special botnet named Condi.
“The Condi botnet supply code was launched publicly on Github between August 17 and October 12, 2023,” Akamai mentioned. “Contemplating the Condi supply code has been accessible for months now, it’s seemingly that different menace actors […] are utilizing it.”