Researchers Detail Kubernetes Vulnerability That Enables Windows Node Takeover

Details have been made public about a now-patched high-severity flaw in Kubernetes that could allow a malicious attacker to achieve remote code execution with elevated privileges under specific circumstances.
有关 Kubernetes 中现已修补的高严重性漏洞的详细信息已公开，该漏洞可能允许恶意攻击者在特定情况下以提升的权限实现远程代码执行。

“The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster,” Akamai security researcher Tomer Peled said. “To exploit this vulnerability, the attacker needs to apply malicious YAML files on the cluster.”
“该漏洞允许在Kubernetes集群内的所有Windows端点上使用SYSTEM权限远程执行代码，”Akamai安全研究员Tomer Peled说。“要利用此漏洞，攻击者需要在群集上应用恶意 YAML 文件。”

Tracked as CVE-2023-5528 (CVSS score: 7.2), the shortcoming impacts all versions of kubelet, including and after version 1.8.0. It was addressed as part of updates released on November 14, 2023, in the following versions –
该缺陷被跟踪为 CVE-2023-5528（CVSS 评分：7.2），会影响所有版本的 kubelet，包括 1.8.0 版本及之后版本。此问题已作为 2023 年 11 月 14 日发布的更新的一部分在以下版本中得到解决 –

• kubelet v1.28.4
• kubelet v1.27.8
• kubelet v1.26.11, and kubelet v1.26.11 和
• kubelet v1.25.16

“A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes,” Kubernetes maintainers said in an advisory released at the time. “Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.”
“在 Kubernetes 中发现了一个安全问题，可以在 Windows 节点上创建 Pod 和持久卷的用户可能能够升级到这些节点上的管理员权限，”Kubernetes 维护人员在当时发布的公告中表示。“Kubernetes 集群只有在使用 Windows 节点的树内存储插件时才会受到影响。”

Successful exploitation of the flaw could result in a complete takeover of all Windows nodes in a cluster. It’s worth noting that another set of similar flaws was previously disclosed by the web infrastructure company in September 2023.
成功利用此缺陷可导致完全接管群集中的所有 Windows 节点。值得注意的是，这家网络基础设施公司此前在 2023 年 9 月披露了另一组类似的漏洞。

The issue stems from the use of “insecure function call and lack of user input sanitization,” and relates to feature called Kubernetes volumes, specially leveraging a volume type known as local volumes that allow users to mount disk partition in a pod by specifying or creating a PersistentVolume.
该问题源于使用“不安全的函数调用和缺乏用户输入清理”，并与称为 Kubernetes 卷的功能有关，特别是利用了一种称为本地卷的卷类型，该卷类型允许用户通过指定或创建 PersistentVolume 在 Pod 中挂载磁盘分区。

“While creating a pod that includes a local volume, the kubelet service will (eventually) reach the function ‘MountSensitive(),'” Peled explained. “Inside it, there’s a cmd line call to ‘exec.command,’ which makes a symlink between the location of the volume on the node and the location inside the pod.”
“在创建一个包含本地卷的 pod 时，kubelet 服务将（最终）达到函数 ‘MountSensitive（’），”Peled 解释道。“在它内部，有一个对’exec.command’的cmd行调用，它在节点上的卷位置和Pod内部的位置之间建立了一个符号链接。

This provides a loophole that an attacker can exploit by creating a PersistentVolume with a specially crafted path parameter in the YAML file, which triggers command injection and execution by using the “&&” command separator.
这提供了一个漏洞，攻击者可以通过在 YAML 文件中创建具有特制路径参数的 PersistentVolume 来利用该漏洞，该漏洞通过使用“&&”命令分隔符触发命令注入和执行。

“In an effort to remove the opportunity for injection, the Kubernetes team chose to delete the cmd call, and replace it with a native GO function that will perform the same operation ‘os.Symlink(),” Peled said of the patch put in place.
“为了消除注入的机会，Kubernetes 团队选择删除 cmd 调用，并将其替换为将执行相同操作的原生 GO 函数 ‘os’。Symlink（），“Peled谈到补丁时说。

The disclosure comes as a critical security flaw discovered in the end-of-life (EoL) Zhejiang Uniview ISC camera model 2500-S (CVE-2024-0778, CVSS score: 9.8) is being exploited by threat actors to drop a Mirai botnet variant called NetKiller that shares infrastructure overlaps with a different botnet named Condi.
此次披露是在报废 （EoL） 中发现的一个严重安全漏洞，即在报废 （EoL） 浙江宇视 ISC 相机型号 2500-S（CVE-2024-0778，CVSS 评分：9.8）中发现的严重安全漏洞被威胁行为者利用，以丢弃一个名为 NetKiller 的 Mirai 僵尸网络变体，该变体与名为 Condi 的另一个僵尸网络共享基础设施重叠。

“The Condi botnet source code was released publicly on Github between August 17 and October 12, 2023,” Akamai said. “Considering the Condi source code has been available for months now, it is likely that other threat actors […] are using it.”
“Condi 僵尸网络源代码于 2023 年 8 月 17 日至 10 月 12 日在 Github 上公开发布，”Akamai 表示。“考虑到 Condi 源代码已经可用了几个月，其他威胁行为者很可能 […]正在使用它。

原文始发于Newsroom：Researchers Detail Kubernetes Vulnerability That Enables Windows Node Takeover