CVE-2023-3893 – This vulnerability allows users with pod creati... (How to Fix)

Q: What is the severity of CVE-2023-3893?

CVE-2023-3893 has a CVSS score of 8.8 (HIGH). This vulnerability allows users with pod creation permissions on Windows nodes running kubernetes-csi-proxy to escalate privileges to admin/root level on those nodes. Only Kubernetes clusters with Windows nodes running kubernetes-csi-proxy are affected. The issue stems from improper input validation in the CSI proxy service.

📋 TL;DR

This vulnerability allows users with pod creation permissions on Windows nodes running kubernetes-csi-proxy to escalate privileges to admin/root level on those nodes. Only Kubernetes clusters with Windows nodes running kubernetes-csi-proxy are affected. The issue stems from improper input validation in the CSI proxy service.

💻 Affected Systems

Products:

Kubernetes
kubernetes-csi-proxy

Versions: kubernetes-csi-proxy versions prior to v1.1.3

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects clusters with Windows nodes running kubernetes-csi-proxy. Linux nodes are not affected.

📦 What is this software?

Csi Proxy by Kubernetes

View all CVEs affecting Csi Proxy →

Csi Proxy by Kubernetes

View all CVEs affecting Csi Proxy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with pod creation access gains full administrative control over Windows nodes, potentially compromising the entire cluster through lateral movement.

🟠

Likely Case

Malicious or compromised users with pod creation permissions escalate privileges to control Windows nodes and access sensitive workloads.

🟢

If Mitigated

With proper RBAC controls limiting pod creation and network segmentation, impact is limited to isolated Windows nodes.

🌐 Internet-Facing: LOW - Exploitation requires authenticated access to the Kubernetes API with pod creation permissions.

🏢 Internal Only: HIGH - Internal users or compromised accounts with pod creation permissions can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to create pods on Windows nodes. The vulnerability is in the CSI proxy service that runs with elevated privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: kubernetes-csi-proxy v1.1.3

Vendor Advisory: https://groups.google.com/g/kubernetes-security-announce/c/lWksE2BoCyQ

Restart Required: Yes

Instructions:

1. Update kubernetes-csi-proxy to version 1.1.3 or later on all Windows nodes. 2. Restart the kubernetes-csi-proxy service. 3. Verify the updated version is running.

🔧 Temporary Workarounds

Restrict Pod Creation Permissions

all

Implement strict RBAC controls to limit which users/service accounts can create pods on Windows nodes.

Disable kubernetes-csi-proxy on Windows Nodes

windows

If CSI functionality is not required, disable the kubernetes-csi-proxy service on Windows nodes.

Stop-Service kubernetes-csi-proxy
Set-Service kubernetes-csi-proxy -StartupType Disabled

🧯 If You Can't Patch

Implement strict RBAC to limit pod creation to trusted users/service accounts only
Segment Windows nodes into isolated network zones to limit lateral movement

🔍 How to Verify

Check if Vulnerable:

Check kubernetes-csi-proxy version on Windows nodes: 'Get-Service kubernetes-csi-proxy' and verify version is below 1.1.3

Check Version:

Get-Service kubernetes-csi-proxy | Select-Object -ExpandProperty Version

Verify Fix Applied:

Verify kubernetes-csi-proxy version is 1.1.3 or higher: 'Get-Service kubernetes-csi-proxy | Select-Object -ExpandProperty Version'

📡 Detection & Monitoring

Log Indicators:

Unusual pod creation events on Windows nodes
Privilege escalation attempts in Windows event logs
kubernetes-csi-proxy service errors or crashes

Network Indicators:

Unusual outbound connections from Windows nodes after pod creation
Lateral movement attempts from Windows nodes

SIEM Query:

source="windows-security" EventCode=4688 NewProcessName="*powershell*" OR NewProcessName="*cmd*" AND SubjectUserName="SYSTEM"

📊 Metadata

CVE ID: CVE-2023-3893

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: November 3, 2023

Last Updated: August 1, 2025

🔗 References

https://github.com/kubernetes/kubernetes/issues/119594 Issue Tracking,Vendor Advisory
https://groups.google.com/g/kubernetes-security-announce/c/lWksE2BoCyQ Mailing List
https://security.netapp.com/advisory/ntap-20231221-0004/ Third Party Advisory
https://github.com/kubernetes/kubernetes/issues/119594 Issue Tracking,Vendor Advisory
https://groups.google.com/g/kubernetes-security-announce/c/lWksE2BoCyQ Mailing List
https://security.netapp.com/advisory/ntap-20231221-0004/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3893, you might also want to check these: