ARMO named in Gartner® Cool Vendors™ report
We are excited and honored to announce that we were selected as Gartner Cool Vendor...
Aug 23, 2023
Recently, the Kubernetes Security Response Committee disclosed three interrelated vulnerabilities affecting the Windows versions of Kubelet and the Kubernetes CSI proxy. These vulnerabilities pose a significant risk, allowing even users with limited permissions to escalate their privileges to administrator level on affected nodes.
A malicious actor could craft a special workload specification (Pod spec) with host path strings that contain power shell commands. Due to lack of input sanitization, the Kubelet would pass this crafted path string to the command executor as an argument but it would execute parts of the string as separate commands. These commands would run with the same administrative privileges as Kubelet has. This vulnerability can be exploited by a user capable of creating pods on Windows nodes.
We can take a look at the following code snippets from the Kubernetes source code, and see that the powershell command will execute without sanitization:
func isLinkPath(path string) (bool, error) { cmd := fmt.Sprintf("(Get-Item -LiteralPath %q).LinkType", path) output, err := exec.Command("powershell", "/c", cmd).CombinedOutput() ... }
And the fix:
func isLinkPath(path string) (bool, error) { cmd := exec.Command("powershell", "/c", "$ErrorActionPreference = 'Stop'; (Get-Item -Force -LiteralPath $env:linkpath).LinkType") cmd.Env = append(os.Environ(), fmt.Sprintf("linkpath=%s", path)) klog.V(8).Infof("Executing command: %q", cmd.String()) output, err := cmd.CombinedOutput() ... }
We can see the new way of passing the arguments using environment variables, which means the subexpression won’t be evaluated.
Bulletin: CVE-2023-3676
Another alarming flaw within Kubelet for Windows, this vulnerability shares the same risk profile as the previous one. It grants users who can create pods, with the ability to execute code at the same permission level as the Kubelet agent, privileged permissions.
As the above code snippets shows, we can see it here as well, the user can control an argument that will later be passed without sanitization to the powershell command:
func WriteVolumeCache(deviceMountPath string, exec utilexec.Interface) error { // If runtime os is windows, execute Write-VolumeCache powershell command on the disk if runtime.GOOS == "windows" { cmd := fmt.Sprintf("Get-Volume -FilePath %s | Write-Volumecache", deviceMountPath) output, err := exec.Command("powershell", "/c", cmd).CombinedOutput() klog.Infof("command (%q) execeuted: %v, output: %q", cmd, err, string(output)) ... } ... }
And the fix:
func WriteVolumeCache(deviceMountPath string, exec utilexec.Interface) error { // If runtime os is windows, execute Write-VolumeCache powershell command on the disk if runtime.GOOS == "windows" { cmdString := "Get-Volume -FilePath $env:mountpath | Write-Volumecache" cmd := exec.Command("powershell", "/c", cmdString) env := append(os.Environ(), fmt.Sprintf("mountpath=%s", deviceMountPath)) cmd.SetEnv(env) klog.V(8).Infof("Executing command: %q", cmdString) output, err := cmd.CombinedOutput() klog.Infof("command (%q) execeuted: %v, output: %q", cmdString, err, string(output)) ... } ... }
As we can see again, the same fix of using environment variables for the arguments passing.
Bulletin: CVE-2023-3955
Though this vulnerability is associated with the Kubernetes CSI proxy, its impact aligns with the previous two. Users who can create pods on Windows nodes can exploit this flaw to elevate their privileges, effectively obtaining administrator access on those nodes.
Taking a look again at the Kubernetes agent source code we can see the same issue:
func getVolumeSize(volumeID string) (int64, error) { cmd := fmt.Sprintf("(Get-Volume -UniqueId \"%s\" | Get-partition).Size", volumeID) out, err := utils.RunPowershellCmd(cmd) ... }
And the fix:
func getVolumeSize(volumeID string) (int64, error) { cmd := `(Get-Volume -UniqueId "$Env:volumeID" | Get-partition).Size` cmdEnv := fmt.Sprintf("volumeID=%s", volumeID) out, err := utils.RunPowershellCmd(cmd, cmdEnv) ... }
Bulletin: CVE-2023-3893
A recurring theme among these vulnerabilities is a lapse in input sanitization in the Windows-specific porting of the Kubelet. Specifically, when handling Pod definitions, the software fails to adequately validate or sanitize user inputs. This oversight enables malicious users to craft pods with environment variables and host paths that, when processed, lead to undesired behaviors, such as privilege escalation.
Run this command to see if you have Windows nodes:
kubectl get nodes -l kubernetes.io/os=windows
The affected Kubelet versions for CVE-2023-3676 & CVE-2023-3955 are:
And for CVE-2023-3893 are:
Organizations relying on Kubernetes, especially those utilizing Windows nodes, should take these vulnerabilities seriously.
Security is a journey, not a destination. Even the most robust systems can exhibit vulnerabilities. By staying informed, patching regularly, and adhering to security best practices, administrators can keep their Kubernetes deployments safe and resilient.
In order to do that you can always use ARMO Platform which offers misconfiguration and vulnerability management, compliance and governance, and RBAC visualization — everything organizations need to secure their Kubernetes deployments effectively on any public or private cloud. Give ARMO a try today. Protect your Kubernetes workloads with confidence and ensure a strong security posture across your clouds.
From code to cluster, helm to node, we’ve got your Kubernetes covered:
Cut the CVE noise by significantly reducing CVE-related work by over 90%
Automatic Kubernetes compliance for CIS, NSA, Mitre, SOC2, PCI, and more
Manage Kubernetes role-based-access control (RBAC) visually
We are excited and honored to announce that we were selected as Gartner Cool Vendor...
All the main K8s vulnerabilities from 2022 consolidated into one article. Read all about it...
ARMO Platform users can now utilize ChatGPT to quickly and easily create custom controls. Read...