Skip to content

CVE-2023-3893: Insufficient input sanitization on kubernetes-csi-proxy leads to privilege escalation #119594

New issue
New issue
Closed
Closed
CVE-2023-3893: Insufficient input sanitization on kubernetes-csi-proxy leads to privilege escalation#119594
Labels
area/kubeletarea/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)sig/windowsCategorizes an issue or PR as relevant to SIG Windows.triage/acceptedIndicates an issue or PR is ready to be actively worked on.
@enj

Description

@enj
enj
opened on Jul 26, 2023

CVSS Rating: CVSS:3.1/av:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - HIGH (8.8)

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes running kubernetes-csi-proxy may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes running kubernetes-csi-proxy.

Am I vulnerable?

Any kubernetes environment with Windows nodes that are running kubernetes-csi-proxy is impacted. This is a common default configuration on Windows nodes. Run kubectl get nodes -l kubernetes.io/os=windows to see if any Windows nodes are in use.

Affected Versions

  • kubernetes-csi-proxy <= v2.0.0-alpha.0
  • kubernetes-csi-proxy <= v1.1.2

How do I mitigate this vulnerability?

The provided patch fully mitigates the vulnerability and has no known side effects. Full mitigation for this class of issues requires patches applied for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.

Outside of applying the provided patch, there are no known mitigations to this vulnerability.

Fixed Versions

To upgrade: cordon the node, stop the associated Windows service, replace the csi-proxy.exe binary, restart the associated Windows service, and un-cordon the node. See the installation docs for more details: https://github.com/kubernetes-csi/csi-proxy#installation

If a Windows host process daemon set is used to run kubernetes-csi-proxy such as https://github.com/kubernetes-csi/csi-driver-smb/blob/master/charts/latest/csi-driver-smb/templates/csi-proxy-windows.yaml, simply upgrade the image to a fixed version such as ghcr.io/kubernetes-sigs/sig-windows/csi-proxy:v1.1.3

Detection

Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded powershell commands are a strong indication of exploitation.

If you find evidence that this vulnerability has been exploited, please contact [email protected]

Acknowledgements

This vulnerability was discovered by James Sturtevant @jsturtevant and Mark Rossetti @marosset during the process of fixing CVE-2023-3676 (that original CVE was reported by Tomer Peled @tomerpeled92)

The issue was fixed and coordinated by the fix team:

James Sturtevant @jsturtevant
Mark Rossetti @marosset
Andy Zhang @andyzhangx
Justin Terry @jterry75
Kulwant Singh @KlwntSingh
Micah Hausler @micahhausler
Rita Zhang @ritazh

and release managers:

Mauricio Poppe @mauriciopoppe

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/kubeletarea/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)sig/windowsCategorizes an issue or PR as relevant to SIG Windows.triage/acceptedIndicates an issue or PR is ready to be actively worked on.

    Type

    No type

    Projects

    [sig-windows] Issue Tracking

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions