CVE-2024-5321
📋 TL;DR
This CVE describes an improper permissions vulnerability in Kubernetes clusters with Windows nodes. BUILTIN\Users can read container logs and NT AUTHORITY\Authenticated Users can modify container logs, potentially exposing sensitive data or allowing log tampering. Only Kubernetes clusters with Windows nodes are affected.
💻 Affected Systems
- Kubernetes
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive application data from logs (credentials, tokens, PII) and tamper with logs to hide malicious activity or disrupt operations.
Likely Case
Unauthorized users reading container logs containing sensitive information, potentially leading to credential theft or data exposure.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized users from accessing Windows nodes.
🎯 Exploit Status
Exploitation requires access to a Windows node with standard user privileges. No authentication bypass needed beyond having user access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Kubernetes security advisory for specific patched versions
Vendor Advisory: https://groups.google.com/g/kubernetes-security-announce/c/81c0BHkKNt0
Restart Required: Yes
Instructions:
1. Update Kubernetes to the patched version. 2. Restart affected Windows nodes. 3. Verify permissions are corrected on container log directories.
🔧 Temporary Workarounds
Restrict Windows Node Access
allLimit access to Windows nodes to only authorized administrators
Implement strict network policies and RBAC to control access to Windows nodes
Manual Permission Fix
windowsManually adjust permissions on container log directories on Windows nodes
icacls "C:\ProgramData\docker\containers\*\*.log" /remove "BUILTIN\Users"
icacls "C:\ProgramData\docker\containers\*\*.log" /remove "NT AUTHORITY\Authenticated Users"
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from accessing Windows nodes
- Monitor Windows node access and container log access patterns for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if Windows nodes have BUILTIN\Users or NT AUTHORITY\Authenticated Users permissions on container log files in C:\ProgramData\docker\containers\Check Version:
kubectl version --shortVerify Fix Applied:
Verify that only SYSTEM and Administrators have access to container log files after patching📡 Detection & Monitoring
Log Indicators:
- Unexpected access to container log files by non-admin users on Windows nodes
- Modification timestamps on log files by non-admin users
Network Indicators:
- Unusual RDP or WinRM connections to Windows nodes followed by file access patterns
SIEM Query:
EventID=4663 AND ObjectName LIKE '%C:\\ProgramData\\docker\\containers\\%.log%' AND SubjectUserName NOT IN ('SYSTEM', 'Administrator')🔗 References
- https://github.com/kubernetes/kubernetes/issues/126161
- https://groups.google.com/g/kubernetes-security-announce/c/81c0BHkKNt0
- http://www.openwall.com/lists/oss-security/2024/07/17/3
- https://github.com/kubernetes/kubernetes/issues/126161
- https://groups.google.com/g/kubernetes-security-announce/c/81c0BHkKNt0
