Particulars have been made public a couple of now-patched high-severity flaw in Kubernetes that might permit a malicious attacker to realize distant code execution with elevated privileges below particular circumstances.
“The vulnerability permits distant code execution with SYSTEM privileges on all Home windows endpoints inside a Kubernetes cluster,” Akamai safety researcher Tomer Peled stated. “To use this vulnerability, the attacker wants to use malicious YAML recordsdata on the cluster.”
Tracked as CVE-2023-5528 (CVSS rating: 7.2), the shortcoming impacts all variations of kubelet, together with and after model 1.8.0. It was addressed as a part of updates launched on November 14, 2023, within the following variations –
- kubelet v1.28.4
- kubelet v1.27.8
- kubelet v1.26.11, and
- kubelet v1.25.16
“A safety problem was found in Kubernetes the place a person that may create pods and chronic volumes on Home windows nodes might be able to escalate to admin privileges on these nodes,” Kubernetes maintainers stated in an advisory launched on the time. “Kubernetes clusters are solely affected if they’re utilizing an in-tree storage plugin for Home windows nodes.”
Profitable exploitation of the flaw may lead to an entire takeover of all Home windows nodes in a cluster. It is value noting that one other set of comparable flaws was beforehand disclosed by the online infrastructure firm in September 2023.
The difficulty stems from the usage of “insecure perform name and lack of person enter sanitization,” and pertains to function known as Kubernetes volumes, specifically leveraging a quantity sort often known as native volumes that permit customers to mount disk partition in a pod by specifying or making a PersistentVolume.
“Whereas making a pod that features a native quantity, the kubelet service will (finally) attain the perform ‘MountSensitive(),'” Peled defined. “Inside it, there is a cmd line name to ‘exec.command,’ which makes a symlink between the situation of the amount on the node and the situation contained in the pod.”
This gives a loophole that an attacker can exploit by making a PersistentVolume with a specifically crafted path parameter within the YAML file, which triggers command injection and execution through the use of the “&&” command separator.
“In an effort to take away the chance for injection, the Kubernetes workforce selected to delete the cmd name, and change it with a local GO perform that may carry out the identical operation ‘os.Symlink(),” Peled stated of the patch put in place.
The disclosure comes as a essential safety flaw found within the end-of-life (EoL) Zhejiang Uniview ISC digicam mannequin 2500-S (CVE-2024-0778, CVSS rating: 9.8) is being exploited by risk actors to drop a Mirai botnet variant known as NetKiller that shares infrastructure overlaps with a special botnet named Condi.
“The Condi botnet supply code was launched publicly on Github between August 17 and October 12, 2023,” Akamai stated. “Contemplating the Condi supply code has been accessible for months now, it’s possible that different risk actors […] are utilizing it.”
