CVE-2024-10220
📋 TL;DR
This vulnerability in Kubernetes kubelet allows attackers to execute arbitrary commands on nodes by exploiting specially crafted gitRepo volumes. It affects all Kubernetes deployments using vulnerable kubelet versions. Attackers with permission to create pods can escalate privileges to gain control over worker nodes.
💻 Affected Systems
- Kubernetes kubelet
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of worker nodes leading to cluster-wide control, data exfiltration, and lateral movement to other systems.
Likely Case
Privilege escalation from pod-level access to node-level control, allowing attackers to steal secrets, deploy malicious containers, or disrupt workloads.
If Mitigated
Limited impact if pod security policies restrict gitRepo volume usage and network segmentation prevents lateral movement.
🎯 Exploit Status
Exploitation requires pod creation permissions. Proof-of-concept details are publicly available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.28.12, 1.29.7, 1.30.3
Vendor Advisory: https://groups.google.com/g/kubernetes-security-announce/c/ptNgV5Necko
Restart Required: Yes
Instructions:
1. Update Kubernetes control plane and nodes to patched versions. 2. Drain and restart nodes to apply kubelet updates. 3. Verify all nodes are running patched kubelet versions.
🔧 Temporary Workarounds
Disable gitRepo volumes
allPrevent creation of pods using gitRepo volumes via admission controllers or pod security policies.
kubectl create -f gitrepo-blocker.yaml
Restrict pod creation permissions
allImplement RBAC to limit who can create pods with volumes.
kubectl apply -f restrictive-rbac.yaml
🧯 If You Can't Patch
- Implement network policies to isolate nodes and restrict lateral movement
- Enable pod security admission to block gitRepo volume usage
🔍 How to Verify
Check if Vulnerable:
Check kubelet version on each node: kubectl get nodes -o wide and verify version is in affected range.Check Version:
kubectl version --short | grep Server && kubectl get nodes -o wide | awk '{print $1, $5}'Verify Fix Applied:
Confirm kubelet version is 1.28.12+, 1.29.7+, or 1.30.3+ on all nodes.📡 Detection & Monitoring
Log Indicators:
- Unusual gitRepo volume mounts in kubelet logs
- Suspicious pod creation events with volume specifications
Network Indicators:
- Unexpected outbound connections from nodes to git repositories
- Unusual process execution patterns on nodes
SIEM Query:
source="kubelet" AND "gitRepo" AND volumeMount