Researchers have issued a warning to all Kubernetes users, urging them to promptly update their clusters due to three critical command injection vulnerabilities that could allow attackers to remotely execute code.
One of these vulnerabilities, identified as CVE-2023-3676, is especially concerning as it can be exploited by individuals with “apply” privileges to interact with a Kubernetes API. The vulnerabilities, discovered by security researchers at Akamai, were patched in Kubernetes version 1.28.1, released on August 23, offering a crucial defense against potential attacks on Kubernetes clusters.
The attack vector for CVE-2023-3676 involves applying a malicious YAML file to the cluster, exploiting a vulnerability present in versions of Kubernetes prior to 1.28.1. Akamai noted that the vulnerability could be exploited on default Kubernetes installations and has been tested on both on-prem deployments and Azure Kubernetes Service. However, it is important to note that this vulnerability is restricted to Windows nodes, which are not as commonly used as other platforms.
In addition to CVE-2023-3676, Microsoft’s James Sturtevant and Mark Rossetti discovered two more command injection vulnerabilities (CVE-2023-3955 and CVE-2023-3893) while addressing Peled’s bug report. All three vulnerabilities were patched via the August 23 release of Kubernetes version 1.28.1. Kubernetes has advised users to apply the patch as there are no known mitigations outside of the patch to completely block these vulnerabilities from being exploited.
However, if users are unable to update to a patched version, there are alternative methods to potentially mitigate the threat, such as using role-based access controls, implementing policy-based actions with Open Policy Agent, or disabling volume.subpath to prevent symlink creation abuse by attackers.