Summary
A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes. The vulnerability is part of a class of issues requiring patches for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893 for full mitigation. Run kubectl get nodes -l kubernetes.io/os=windows to determine whether any Windows nodes are present in your cluster.
Impact
Any user with permission to create pods on Windows nodes can exploit insufficient input sanitization in the kubelet to achieve admin-level privileges on those nodes. The high CVSS score (8.8) reflects the combination of network-accessible attack vector, low privileges required, and full confidentiality, integrity, and availability impact on affected nodes. Clusters with no Windows nodes are not affected. Full mitigation requires patches for all three related CVEs: CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.
Detection
Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded PowerShell commands are a strong indication of exploitation. If you find evidence that this vulnerability has been exploited, contact security@kubernetes.io.
Mitigation
Upgrade kubelet to a patched version on all Windows nodes:
- v1.28.1 or later (for the 1.28 branch)
- v1.27.5 or later (for the 1.27 branch)
- v1.26.8 or later (for the 1.26 branch)
- v1.25.13 or later (for the 1.25 branch)
- v1.24.17 or later (for the 1.24 branch)
To upgrade, refer to the Kubernetes cluster upgrade documentation. There are no known mitigations outside of applying the provided patches. Full mitigation for this class of issues requires applying patches for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.