Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAL7+V1zrLPQ_GS49OhWOQX0BfMSDoYmQ8a=c0bvRWp3mpqs88A@mail.gmail.com>
Date: Wed, 23 Aug 2023 07:37:40 -0700
From: Rita Zhang <rita.z.zhang@...il.com>
To: oss-security@...ts.openwall.com
Subject: [kubernetes] CVE-2023-3676: Insufficient input sanitization on
 Windows nodes leads to privilege escalation

Hello Kubernetes Community,

A security issue was discovered in Kubernetes where a user that can create
pods on Windows nodes may be able to escalate to admin privileges on those
nodes. Kubernetes clusters are only affected if they include Windows nodes.

This issue has been rated ***HIGH*** (
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H>-
8.8
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H>),
and assigned **CVE-2023-3676**

*Am I vulnerable?*

Any kubernetes environment with Windows nodes is impacted.  Run `kubectl
get nodes -l kubernetes.io/os=windows` <http://kubernetes.io/os=windows> to
see if any Windows nodes are in use.

*Affected Versions*

- kubelet <= v1.28.0

- kubelet <= v1.27.4

- kubelet <= v1.26.7

- kubelet <= v1.25.12

- kubelet <= v1.24.16

*How do I mitigate this vulnerability?*

The provided patch fully mitigates the vulnerability and has no known side
effects.  Full mitigation for this class of issues requires patches applied
for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.

Outside of applying the provided patch, there are no known mitigations to
this vulnerability.

*Fixed Versions*

- kubelet v1.28.1

- kubelet v1.27.5

- kubelet v1.26.8

- kubelet v1.25.13

- kubelet v1.24.17

These releases will be published over the course of today, August 23rd,
2023.

To upgrade, refer to the documentation:

https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

*Detection*

Kubernetes audit logs can be used to detect if this vulnerability is being
exploited. Pod create events with embedded powershell commands are a strong
indication of exploitation. Config maps and secrets that contain embedded
powershell commands and are mounted into pods are also a strong indication
of exploitation.

If you find evidence that this vulnerability has been exploited, please
contact security@...ernetes.io

*Additional Details*

See the GitHub issue for more details:
https://github.com/kubernetes/kubernetes/issues/119339

*Acknowledgements*

This vulnerability was reported by Tomer Peled @tomerpeled92

The issue was fixed and coordinated by the fix team:

James Sturtevant @jsturtevant

Mark Rossetti @marosset

Andy Zhang @andyzhangx

Justin Terry @jterry75

Kulwant Singh @KlwntSingh

Micah Hausler @micahhausler

Rita Zhang @ritazh

and release managers:

Jeremy Rickard @jeremyrickard

Thank You,

Rita Zhang on behalf of the Kubernetes Security Response Committee

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.