CVE-2023-1260
📋 TL;DR
CVE-2023-1260 is an authentication bypass vulnerability in Kubernetes kube-apiserver that allows authenticated attackers with specific permissions to bypass Security Context Constraints (SCC) admission restrictions. This could enable attackers to gain control of privileged pods they shouldn't have access to. Organizations running vulnerable Kubernetes versions with RBAC configurations granting 'update' or 'patch' permissions on pods/ephemeralcontainers subresource are affected.
💻 Affected Systems
- Kubernetes kube-apiserver
📦 What is this software?
Kube Apiserver by Kubernetes
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full control of privileged pods, potentially leading to cluster-wide compromise, data exfiltration, or lateral movement to other critical systems.
Likely Case
Privilege escalation within the Kubernetes cluster allowing unauthorized access to sensitive workloads or data.
If Mitigated
Limited impact due to proper RBAC restrictions and SCC policies preventing unauthorized pod modifications.
🎯 Exploit Status
Requires authenticated access with specific permissions and knowledge of Kubernetes API. Attackers need to create or patch pods they have access to.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kubernetes 1.24.15, 1.25.11, 1.26.6, 1.27.3 or later
Vendor Advisory: https://access.redhat.com/errata/RHSA-2023:3976
Restart Required: Yes
Instructions:
1. Update kube-apiserver to patched version. 2. Restart kube-apiserver pods. 3. Verify all control plane components are running patched versions.
🔧 Temporary Workarounds
RBAC Restriction
linuxRemove or restrict 'update' and 'patch' permissions on pods/ephemeralcontainers subresource for non-administrative users
kubectl edit clusterrole <role-name>
Remove verbs: ['update', 'patch'] from pods/ephemeralcontainers resource
SCC Policy Enforcement
linuxImplement strict Security Context Constraints to limit pod privilege escalation
oc edit scc restricted
Set allowPrivilegeEscalation: false
🧯 If You Can't Patch
- Review and restrict RBAC permissions for pods/ephemeralcontainers subresource
- Implement network policies to limit access to kube-apiserver and monitor for suspicious pod modifications
🔍 How to Verify
Check if Vulnerable:
Check Kubernetes version: kubectl version --short | grep ServerCheck Version:
kubectl version --short | grep -i serverVerify Fix Applied:
Verify kube-apiserver version is 1.24.15+, 1.25.11+, 1.26.6+, or 1.27.3+📡 Detection & Monitoring
Log Indicators:
- Unauthorized pod/ephemeralcontainers update/patch attempts
- SCC admission controller denials for privileged pod creations
Network Indicators:
- Unusual API calls to pods/ephemeralcontainers endpoint from non-admin users
SIEM Query:
source="kube-apiserver" AND (verb="update" OR verb="patch") AND resource="pods/ephemeralcontainers" AND user!="system:serviceaccount:kube-system:*"🔗 References
- https://access.redhat.com/errata/RHSA-2023:3976
- https://access.redhat.com/errata/RHSA-2023:4093
- https://access.redhat.com/errata/RHSA-2023:4312
- https://access.redhat.com/errata/RHSA-2023:4898
- https://access.redhat.com/errata/RHSA-2023:5008
- https://access.redhat.com/security/cve/CVE-2023-1260
- https://bugzilla.redhat.com/show_bug.cgi?id=2176267
- https://github.com/advisories/GHSA-92hx-3mh6-hc49
- https://security.netapp.com/advisory/ntap-20231020-0010/
- https://access.redhat.com/errata/RHSA-2023:3976
- https://access.redhat.com/errata/RHSA-2023:4093
- https://access.redhat.com/errata/RHSA-2023:4312
- https://access.redhat.com/errata/RHSA-2023:4898
- https://access.redhat.com/errata/RHSA-2023:5008
- https://access.redhat.com/security/cve/CVE-2023-1260
- https://bugzilla.redhat.com/show_bug.cgi?id=2176267
- https://github.com/advisories/GHSA-92hx-3mh6-hc49
- https://security.netapp.com/advisory/ntap-20231020-0010/
