CVE-2023-5528
📋 TL;DR
This CVE allows users with pod and persistent volume creation permissions on Windows nodes to escalate privileges to admin level on those nodes. Only Kubernetes clusters using in-tree storage plugins on Windows nodes are affected. Attackers could gain full control over Windows worker nodes.
💻 Affected Systems
- Kubernetes
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Kubernetes by Kubernetes
Kubernetes by Kubernetes
Kubernetes by Kubernetes
Kubernetes by Kubernetes
⚠️ Risk & Real-World Impact
Worst Case
Full administrative control of Windows nodes, allowing lateral movement, data exfiltration, and cluster-wide compromise.
Likely Case
Privilege escalation on Windows nodes leading to unauthorized access to node resources and potential data theft.
If Mitigated
Limited impact if proper RBAC controls restrict pod and persistent volume creation to trusted users only.
🎯 Exploit Status
Requires authenticated access with pod and persistent volume creation permissions on Windows nodes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Kubernetes security advisory for specific patched versions
Vendor Advisory: https://groups.google.com/g/kubernetes-security-announce/c/SL_d4NR8pzA
Restart Required: Yes
Instructions:
1. Update Kubernetes to patched version. 2. Restart affected Windows nodes. 3. Verify all components are running patched versions.
🔧 Temporary Workarounds
Migrate to CSI drivers
allReplace in-tree storage plugins with Container Storage Interface (CSI) drivers
Restrict RBAC permissions
allLimit pod and persistent volume creation permissions on Windows nodes to trusted users only
🧯 If You Can't Patch
- Implement strict RBAC controls to limit who can create pods and persistent volumes on Windows nodes
- Migrate Windows workloads to nodes using CSI storage drivers instead of in-tree plugins
🔍 How to Verify
Check if Vulnerable:
Check if cluster has Windows nodes using in-tree storage plugins and verify Kubernetes version against patched releasesCheck Version:
kubectl versionVerify Fix Applied:
Confirm Kubernetes version is updated to patched release and Windows nodes are using CSI drivers or have restricted permissions📡 Detection & Monitoring
Log Indicators:
- Unusual pod creation events on Windows nodes
- Persistent volume creation by unauthorized users
- Privilege escalation attempts on Windows nodes
Network Indicators:
- Unusual outbound connections from Windows nodes
- Lateral movement attempts from Windows nodes
SIEM Query:
Search for 'Create Pod' or 'Create PersistentVolume' events on Windows nodes by non-admin users🔗 References
- https://github.com/kubernetes/kubernetes/issues/121879
- https://groups.google.com/g/kubernetes-security-announce/c/SL_d4NR8pzA
- https://github.com/kubernetes/kubernetes/issues/121879
- https://groups.google.com/g/kubernetes-security-announce/c/SL_d4NR8pzA
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3JH444PWZBINXLLFV7XLIJIZJHSK6UEZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XZIX727JIKF5RQW7RVVBLWXBCDIBJA7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MPGMITSZXUCAVO7Q75675SOLXC2XXU4/
- https://security.netapp.com/advisory/ntap-20240119-0009/
