CVE-2023-33190
📋 TL;DR
CVE-2023-33190 is a critical RBAC misconfiguration vulnerability in Sealos that allows attackers to gain full cluster control permissions. This enables complete compromise of Kubernetes clusters deployed with Sealos, including control over all pods and resources. All Sealos users running versions before 4.2.1-rc4 are affected.
💻 Affected Systems
- Sealos
📦 What is this software?
Sealos by Sealos Project
Sealos by Sealos Project
Sealos by Sealos Project
Sealos by Sealos Project
⚠️ Risk & Real-World Impact
Worst Case
Complete cluster takeover allowing attacker to deploy malicious containers, exfiltrate sensitive data, disrupt all services, and establish persistent backdoors across the entire infrastructure.
Likely Case
Unauthorized access leading to data theft, service disruption, and potential lateral movement to other systems connected to the cluster.
If Mitigated
Limited impact if network segmentation and strict access controls prevent initial access, but still critical if exploited.
🎯 Exploit Status
Exploitation requires some level of access to the cluster but the actual privilege escalation is straightforward once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.1-rc4 and later
Vendor Advisory: https://github.com/labring/sealos/security/advisories/GHSA-74j8-w7f9-pp62
Restart Required: Yes
Instructions:
1. Backup your cluster configuration and data. 2. Update Sealos to version 4.2.1-rc4 or later using: sealos upgrade --version 4.2.1-rc4. 3. Restart the Sealos control plane components. 4. Verify RBAC permissions are properly configured.
🔧 Temporary Workarounds
No official workarounds
allThe vendor states there are no known workarounds for this vulnerability. Immediate patching is required.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Sealos management interfaces from untrusted networks
- Enable detailed audit logging for all RBAC permission changes and cluster administrative actions
🔍 How to Verify
Check if Vulnerable:
Check Sealos version with: sealos version. If version is earlier than 4.2.1-rc4, you are vulnerable.Check Version:
sealos versionVerify Fix Applied:
After upgrade, verify version is 4.2.1-rc4 or later with: sealos version. Then test RBAC permissions by attempting unauthorized cluster operations that should be denied.📡 Detection & Monitoring
Log Indicators:
- Unexpected RBAC permission grants
- Unauthorized cluster-admin role assignments
- Suspicious kubectl commands from unexpected users
Network Indicators:
- Unusual API server requests for cluster-wide permissions
- Suspicious connections to Kubernetes API from unauthorized sources
SIEM Query:
source="kubernetes-audit" AND (verb="create" OR verb="update") AND objectRef.resource="clusterrolebindings" OR objectRef.resource="rolebindings"🔗 References
- https://github.com/labring/sealos/commit/4cdf52e55666864e5f90ed502e9fc13e18985b7b
- https://github.com/labring/sealos/security/advisories/GHSA-74j8-w7f9-pp62
- https://github.com/labring/sealos/commit/4cdf52e55666864e5f90ed502e9fc13e18985b7b
- https://github.com/labring/sealos/security/advisories/GHSA-74j8-w7f9-pp62
