CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes #121879
Labels
area/kubelet
area/security
committee/security-response
Denotes an issue or PR intended to be handled by the product security committee.
kind/bug
Categorizes issue or PR as related to a bug.
lifecycle/frozen
Indicates that an issue or PR should not be auto-closed due to staleness.
official-cve-feed
Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
sig/storage
Categorizes an issue or PR as relevant to SIG Storage.
sig/windows
Categorizes an issue or PR as relevant to SIG Windows.
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - HIGH (7.2)
A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
Am I vulnerable?
Any kubernetes environment with Windows nodes is impacted. Run
kubectl get nodes -l kubernetes.io/os=windows
to see if any Windows nodes are in use.Affected Versions
How do I mitigate this vulnerability?
The provided patch fully mitigates the vulnerability.
Outside of applying the provided patch, there are no known mitigations to this vulnerability.
Fixed Versions
To upgrade, refer to the documentation:
https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
Detection
Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Persistent Volume create events with local path fields containing special characters are a strong indication of exploitation.
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Acknowledgements
This vulnerability was reported by Tomer Peled @tomerpeled92
The issue was fixed and coordinated by the fix team:
James Sturtevant @jsturtevant
Mark Rossetti @marosset
Michelle Au @msau42
Jan Šafránek @jsafrane
Mo Khan @enj
Rita Zhang @ritazh
Micah Hausler @micahhausler
Sri Saran Balaji @SaranBalaji90
Craig Ingram @cji
and release managers:
Jeremy Rickard @jeremyrickard
Marko Mudrinić @xmudrii
/area security
/kind bug
/committee security-response
/label official-cve-feed
/sig windows
/sig storage
/area kubelet
The text was updated successfully, but these errors were encountered: