Skip to content

CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation #119595

New issue
New issue
Closed
Closed
CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation#119595
Labels
area/kubeletarea/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)sig/windowsCategorizes an issue or PR as relevant to SIG Windows.triage/acceptedIndicates an issue or PR is ready to be actively worked on.
@enj

Description

@enj
enj
opened on Jul 26, 2023

CVSS Rating: CVSS:3.1/av:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - HIGH (8.8)

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

Am I vulnerable?

Any kubernetes environment with Windows nodes is impacted. Run kubectl get nodes -l kubernetes.io/os=windows to see if any Windows nodes are in use.

Affected Versions

  • kubelet <= v1.28.0
  • kubelet <= v1.27.4
  • kubelet <= v1.26.7
  • kubelet <= v1.25.12
  • kubelet <= v1.24.16

How do I mitigate this vulnerability?

The provided patch fully mitigates the vulnerability (see fix impact below). Full mitigation for this class of issues requires patches applied for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.

Outside of applying the provided patch, there are no known mitigations to this vulnerability.

Fixed Versions

Fix impact: Passing Windows Powershell disk format options to in-tree volume plugins will result in an error during volume provisioning on the node. There are no known use cases for this functionality, nor is this functionality supported by any known out-of-tree CSI driver.

To upgrade, refer to the documentation:
https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/

Detection

Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded powershell commands are a strong indication of exploitation.

If you find evidence that this vulnerability has been exploited, please contact [email protected]

Acknowledgements

This vulnerability was discovered by James Sturtevant @jsturtevant and Mark Rossetti @marosset during the process of fixing CVE-2023-3676 (that original CVE was reported by Tomer Peled @tomerpeled92)

The issue was fixed and coordinated by the fix team:

James Sturtevant @jsturtevant
Mark Rossetti @marosset
Andy Zhang @andyzhangx
Justin Terry @jterry75
Kulwant Singh @KlwntSingh
Micah Hausler @micahhausler
Rita Zhang @ritazh

and release managers:

Jeremy Rickard @jeremyrickard

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/kubeletarea/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)sig/windowsCategorizes an issue or PR as relevant to SIG Windows.triage/acceptedIndicates an issue or PR is ready to be actively worked on.

    Type

    No type

    Projects

    [sig-windows] Issue Tracking

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions