Summary
A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes. Run kubectl get nodes -l kubernetes.io/os=windows to determine whether any Windows nodes are present in your cluster. This is the original vulnerability in a class of three related issues; full mitigation requires patches for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.
Impact
Any user with permission to create pods on Windows nodes can exploit insufficient input sanitization in the kubelet to achieve admin-level privileges on those nodes. The high CVSS score (8.8) reflects the network-accessible attack vector, low required privileges, and full confidentiality, integrity, and availability impact on affected nodes. Clusters with no Windows nodes are not affected. This vulnerability was the original report in a class of three related issues; CVE-2023-3955 and CVE-2023-3893 are related findings discovered during its remediation.
Detection
Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded PowerShell commands are a strong indication of exploitation. ConfigMaps and Secrets that contain embedded PowerShell commands and are mounted into pods are also a strong indication of exploitation. If you find evidence that this vulnerability has been exploited, contact security@kubernetes.io.
Mitigation
Upgrade kubelet to a patched version on all Windows nodes:
- v1.28.1 or later (for the 1.28 branch)
- v1.27.5 or later (for the 1.27 branch)
- v1.26.8 or later (for the 1.26 branch)
- v1.25.13 or later (for the 1.25 branch)
- v1.24.17 or later (for the 1.24 branch)
To upgrade, refer to the Kubernetes cluster upgrade documentation. There are no known mitigations outside of applying the provided patches. Full mitigation for this class of issues requires applying patches for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.