|
Message-ID: <CAL7+V1zmb66gKzeQUe9qzJ1MVVn=ua2JEfY-_jiMk8zJ-+K+zw@mail.gmail.com> Date: Wed, 23 Aug 2023 07:37:42 -0700 From: Rita Zhang <rita.z.zhang@...il.com> To: oss-security@...ts.openwall.com Subject: [kubernetes] CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation Hello Kubernetes Community, A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes. This issue has been rated ***HIGH*** ( CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H <https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H> - 8.8 <https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H>), and assigned **CVE-2023-3955** *Am I vulnerable?* Any kubernetes environment with Windows nodes is impacted. Run `kubectl get nodes -l kubernetes.io/os=windows` <http://kubernetes.io/os=windows> to see if any Windows nodes are in use. *Affected Versions* - kubelet <= v1.28.0 - kubelet <= v1.27.4 - kubelet <= v1.26.7 - kubelet <= v1.25.12 - kubelet <= v1.24.16 *How do I mitigate this vulnerability?* The provided patch fully mitigates the vulnerability (see fix impact below). Full mitigation for this class of issues requires patches applied for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893. Outside of applying the patch, there are no known mitigations to this vulnerability. *Fixed Versions* - kubelet v1.28.1 - kubelet v1.27.5 - kubelet v1.26.8 - kubelet v1.25.13 - kubelet v1.24.17 These releases will be published over the course of today, August 23rd, 2023. ***Fix impact:*** Passing Windows Powershell disk format options to in-tree volume plugins will result in an error during volume provisioning on the node. There are no known use cases for this functionality, nor is this functionality supported by any known out-of-tree CSI driver. To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster *Detection* Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded powershell commands are a strong indication of exploitation. If you find evidence that this vulnerability has been exploited, please contact security@...ernetes.io *Additional Details* See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/119595 *Acknowledgements* This vulnerability was discovered by James Sturtevant @jsturtevant and Mark Rossetti @marosset during the process of fixing CVE-2023-3676 (that original CVE was reported by Tomer Peled @tomerpeled92) The issue was fixed and coordinated by the fix team: James Sturtevant @jsturtevant Mark Rossetti @marosset Andy Zhang @andyzhangx Justin Terry @jterry75 Kulwant Singh @KlwntSingh Micah Hausler @micahhausler Rita Zhang @ritazh and release managers: Jeremy Rickard @jeremyrickard Thank You, Rita Zhang on behalf of the Kubernetes Security Response Committee
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.