CVE-2023-3676
📋 TL;DR
This vulnerability allows authenticated users who can create pods on Windows nodes in Kubernetes clusters to escalate privileges to administrator level on those nodes. Only Kubernetes clusters containing Windows nodes are affected. Attackers could gain full control over Windows worker nodes.
💻 Affected Systems
- Kubernetes
📦 What is this software?
Kubernetes by Kubernetes
Kubernetes by Kubernetes
Kubernetes by Kubernetes
Kubernetes by Kubernetes
Kubernetes by Kubernetes
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Windows nodes, allowing attackers to execute arbitrary code, access sensitive data, pivot to other systems, and potentially compromise the entire cluster.
Likely Case
Privilege escalation on Windows nodes leading to data exfiltration, lateral movement within the cluster, and disruption of workloads running on affected nodes.
If Mitigated
Limited impact if proper pod security policies, RBAC restrictions, and network segmentation prevent unauthorized pod creation on Windows nodes.
🎯 Exploit Status
Exploitation requires authenticated access with pod creation permissions on Windows nodes. Proof of concept details are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.28.2, 1.27.6, 1.26.9, 1.25.14
Vendor Advisory: https://groups.google.com/g/kubernetes-security-announce/c/d_fvHZ9a5zc
Restart Required: Yes
Instructions:
1. Upgrade Kubernetes control plane and Windows nodes to patched versions. 2. For managed services (EKS, AKS, GKE), follow provider-specific upgrade procedures. 3. Restart affected components after upgrade.
🔧 Temporary Workarounds
Restrict Pod Creation on Windows Nodes
allUse Kubernetes RBAC and admission controllers to restrict which users/service accounts can create pods on Windows nodes.
kubectl create clusterrolebinding restrict-windows-pods --clusterrole=edit --user=trusted-user --namespace=windows-namespace
Implement Pod Security Standards
allEnforce Pod Security Admission or Pod Security Policies to restrict privileged pod creation.
kubectl label namespace windows-namespace pod-security.kubernetes.io/enforce=restricted
🧯 If You Can't Patch
- Implement strict RBAC controls to limit pod creation permissions on Windows nodes to only trusted users/service accounts.
- Isolate Windows nodes in separate namespaces with network policies and apply pod security standards to restrict privileged operations.
🔍 How to Verify
Check if Vulnerable:
Check if cluster has Windows nodes and Kubernetes version is below patched versions: kubectl get nodes -o wide | grep WindowsCheck Version:
kubectl version --shortVerify Fix Applied:
Verify Kubernetes version is 1.28.2, 1.27.6, 1.26.9, or 1.25.14 or higher: kubectl version --short📡 Detection & Monitoring
Log Indicators:
- Unusual pod creation events on Windows nodes
- Privilege escalation attempts in Windows event logs
- Suspicious container execution patterns
Network Indicators:
- Unexpected outbound connections from Windows nodes
- Lateral movement attempts from Windows nodes
SIEM Query:
source="kubernetes-audit" AND verb="create" AND resource="pods" AND node_labels.os="windows" | stats count by user, namespace🔗 References
- https://github.com/kubernetes/kubernetes/issues/119339
- https://groups.google.com/g/kubernetes-security-announce/c/d_fvHZ9a5zc
- https://security.netapp.com/advisory/ntap-20231130-0007/
- https://github.com/kubernetes/kubernetes/issues/119339
- https://groups.google.com/g/kubernetes-security-announce/c/d_fvHZ9a5zc
- https://security.netapp.com/advisory/ntap-20231130-0007/
