Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation #119339

Closed
enj opened this issue Jul 14, 2023 · 3 comments
Closed

CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation #119339

enj opened this issue Jul 14, 2023 · 3 comments
Labels
area/kubelet area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/windows Categorizes an issue or PR as relevant to SIG Windows. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@enj
Copy link
Member

enj commented Jul 14, 2023
edited

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - HIGH (8.8)

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

Am I vulnerable?

Any kubernetes environment with Windows nodes is impacted. Run kubectl get nodes -l kubernetes.io/os=windows to see if any Windows nodes are in use.

Affected Versions

  • kubelet <= v1.28.0
  • kubelet <= v1.27.4
  • kubelet <= v1.26.7
  • kubelet <= v1.25.12
  • kubelet <= v1.24.16

How do I mitigate this vulnerability?

The provided patch fully mitigates the vulnerability and has no known side effects. Full mitigation for this class of issues requires patches applied for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.

Outside of applying the provided patch, there are no known mitigations to this vulnerability.

Fixed Versions

To upgrade, refer to the documentation:
https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/

Detection

Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded powershell commands are a strong indication of exploitation. Config maps and secrets that contain embedded powershell commands and are mounted into pods are also a strong indication of exploitation.

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Acknowledgements

This vulnerability was reported by Tomer Peled @tomerpeled92

The issue was fixed and coordinated by the fix team:

James Sturtevant @jsturtevant
Mark Rossetti @marosset
Andy Zhang @andyzhangx
Justin Terry @jterry75
Kulwant Singh @KlwntSingh
Micah Hausler @micahhausler
Rita Zhang @ritazh

and release managers:

Jeremy Rickard @jeremyrickard

/triage accepted
/lifecycle frozen
/area security
/kind bug
/committee security-response
@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. triage/accepted Indicates an issue or PR is ready to be actively worked on. area/security kind/bug Categorizes issue or PR as related to a bug. committee/security-response Denotes an issue or PR intended to be handled by the product security committee. labels Jul 14, 2023
@jeremyrickard jeremyrickard changed the title TITLE: PLACEHOLDER ISSUE CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation Aug 23, 2023
@jeremyrickard
Copy link
Contributor

/area security
/kind bug
/committee security-response
/label official-cve-feed
/sig windows
/area kubelet

@k8s-ci-robot k8s-ci-robot added sig/windows Categorizes an issue or PR as relevant to SIG Windows. area/kubelet labels Aug 23, 2023
@k8s-ci-robot
Copy link
Contributor

@jeremyrickard: Can not set label official-cve-feed: Must be member in one of these teams: [security-response-committee]

In response to this:

/area security
/kind bug
/committee security-response
/label official-cve-feed
/sig windows
/area kubelet

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@ritazh
Copy link
Member

ritazh commented Aug 23, 2023

/label official-cve-feed

@k8s-ci-robot k8s-ci-robot added the official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) label Aug 23, 2023
@miwithro miwithro mentioned this issue Aug 23, 2023
Closed
@wzshiming wzshiming mentioned this issue Aug 29, 2023
Open
@enj enj closed this as completed Oct 31, 2023
@k8s-sec-alert k8s-sec-alert mentioned this issue Nov 1, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/kubelet area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/windows Categorizes an issue or PR as relevant to SIG Windows. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
[sig-windows] Issue Tracking
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ritazh @enj @k8s-ci-robot @jeremyrickard