Security News > 2023 > September > Kubernetes vulnerability allows RCE on Windows endpoints (CVE-2023-3676)

Kubernetes vulnerability allows RCE on Windows endpoints (CVE-2023-3676)
2023-09-18 11:31

Three high-severity Kubernetes vulnerabilities could allow attackers to execute code remotely and gain control over all Windows nodes in the Kubernetes cluster.

"The Kubernetes framework uses YAML files for basically everything - from configuring the Container Network Interface to pod management and even secret handling," Peled explained.

The vulnerability can be exploited on default installations of Kubernetes and is a result of insufficient input sanitization on Windows nodes that leads to privilege escalation.

As Peled demonstrated, an attacker with privileges required to interact with the Kubernetes API can exploit this flaw to inject code that will be executed on remote Windows machines with SYSTEM privileges.

The three vulnerabilities affect all Kubernetes versions below v1.28.

The Kubernetes team has also explained how CVE-2023-3676 exploitation can be detected by analyzing Kubernetes audit logs: "Pod create events with embedded powershell commands are a strong indication of exploitation. Config maps and secrets that contain embedded powershell commands and are mounted into pods are also a strong indication of exploitation."


News URL

https://www.helpnetsecurity.com/2023/09/18/cve-2023-3676/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-10-31 CVE-2023-3676 Improper Input Validation vulnerability in Kubernetes
A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes.
network
low complexity
kubernetes CWE-20
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Kubernetes 19 5 45 34 8 92