Researchers Detail Kubernetes Vulnerability That Enables Windows Node Takeover

Researchers Detail Kubernetes Vulnerability That Enables Windows Node Takeover

Details have been made public about a now-patched high-severity flaw in Kubernetes that could allow a malicious attacker to achieve remote code execution with elevated privileges under specific circumstances.

Tracked as CVE-2023-5528 (CVSS score: 7.2), the shortcoming impacts all versions of kubelet, including and after version 1.8.0. It was addressed as part of updates released on November 14, 2023, in the following versions –

  • kubelet v1.28.4
  • kubelet v1.27.8
  • kubelet v1.26.11, and
  • kubelet v1.25.16

Successful exploitation of the flaw could result in a complete takeover of all Windows nodes in a cluster. It’s worth noting that another set of similar flaws was previously disclosed by the web infrastructure company in September 2023.

The issue stems from the use of “insecure function call and lack of user input sanitization,” and relates to feature called Kubernetes volumes, specially leveraging a volume type known as local volumes that allow users to mount disk partition in a pod by specifying or creating a PersistentVolume.

This provides a loophole that an attacker can exploit by creating a PersistentVolume with a specially crafted path parameter in the YAML file, which triggers command injection and execution by using the “&&” command separator.

The disclosure comes as a critical security flaw discovered in the end-of-life (EoL) Zhejiang Uniview ISC camera model 2500-S (CVE-2024-0778, CVSS score: 9.8) is being exploited by threat actors to drop a Mirai botnet variant called NetKiller that shares infrastructure overlaps with a different botnet named Condi.

“The Condi botnet source code was released publicly on Github between August 17 and October 12, 2023,” Akamai said. “Considering the Condi source code has been available for months now, it is likely that other threat actors […] are using it.”