Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes #121879

Closed
cji opened this issue Nov 14, 2023 · 1 comment
Closed

CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes #121879

cji opened this issue Nov 14, 2023 · 1 comment
Labels
area/kubelet area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/storage Categorizes an issue or PR as relevant to SIG Storage. sig/windows Categorizes an issue or PR as relevant to SIG Windows. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@cji
Copy link
Member

cji commented Nov 14, 2023
edited

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - HIGH (7.2)

A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

Am I vulnerable?

Any kubernetes environment with Windows nodes is impacted. Run kubectl get nodes -l kubernetes.io/os=windows to see if any Windows nodes are in use.

Affected Versions

  • kubelet >= v1.8.0 (including all later minor versions)

How do I mitigate this vulnerability?

The provided patch fully mitigates the vulnerability.

Outside of applying the provided patch, there are no known mitigations to this vulnerability.

Fixed Versions

To upgrade, refer to the documentation:
https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Detection

Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Persistent Volume create events with local path fields containing special characters are a strong indication of exploitation.

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Acknowledgements

This vulnerability was reported by Tomer Peled @tomerpeled92

The issue was fixed and coordinated by the fix team:

James Sturtevant @jsturtevant
Mark Rossetti @marosset
Michelle Au @msau42
Jan Šafránek @jsafrane
Mo Khan @enj
Rita Zhang @ritazh
Micah Hausler @micahhausler
Sri Saran Balaji @SaranBalaji90
Craig Ingram @cji

and release managers:
Jeremy Rickard @jeremyrickard
Marko Mudrinić @xmudrii

/area security
/kind bug
/committee security-response
/label official-cve-feed
/sig windows
/sig storage
/area kubelet
@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. triage/accepted Indicates an issue or PR is ready to be actively worked on. area/security kind/bug Categorizes issue or PR as related to a bug. committee/security-response Denotes an issue or PR intended to be handled by the product security committee. labels Nov 14, 2023
@cji cji changed the title PLACEHOLDER ISSUE CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes Nov 14, 2023
@k8s-ci-robot k8s-ci-robot added sig/windows Categorizes an issue or PR as relevant to SIG Windows. sig/storage Categorizes an issue or PR as relevant to SIG Storage. area/kubelet official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) labels Nov 14, 2023
@y1ong y1ong mentioned this issue Nov 16, 2023
Open
@enj enj mentioned this issue Nov 16, 2023
Merged
@cji
Copy link
Member Author

cji commented Nov 16, 2023

kubelet v1.28.4, v1.27.8, v1.26.11, and v1.25.16 have all been released.

@cji cji closed this as completed Nov 16, 2023
@k8s-sec-alert k8s-sec-alert mentioned this issue Nov 16, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/kubelet area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/storage Categorizes an issue or PR as relevant to SIG Storage. sig/windows Categorizes an issue or PR as relevant to SIG Windows. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
[sig-windows] Issue Tracking
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cji @k8s-ci-robot