Researchers Element Kubernetes Vulnerability That Allows Home windows Node Takeover

Kubernetes Vulnerability

Particulars have been made public a few now-patched high-severity flaw in Kubernetes that might enable a malicious attacker to realize distant code execution with elevated privileges underneath particular circumstances.

“The vulnerability permits distant code execution with SYSTEM privileges on all Home windows endpoints inside a Kubernetes cluster,” Akamai safety researcher Tomer Peled said. “To use this vulnerability, the attacker wants to use malicious YAML recordsdata on the cluster.”

Tracked as CVE-2023-5528 (CVSS rating: 7.2), the shortcoming impacts all variations of kubelet, together with and after model 1.8.0. It was addressed as a part of updates launched on November 14, 2023, within the following variations –

  • kubelet v1.28.4
  • kubelet v1.27.8
  • kubelet v1.26.11, and
  • kubelet v1.25.16

“A safety difficulty was found in Kubernetes the place a person that may create pods and protracted volumes on Home windows nodes could possibly escalate to admin privileges on these nodes,” Kubernetes maintainers said in an advisory launched on the time. “Kubernetes clusters are solely affected if they’re utilizing an in-tree storage plugin for Home windows nodes.”


Profitable exploitation of the flaw may lead to a whole takeover of all Home windows nodes in a cluster. It is price noting that one other set of comparable flaws was beforehand disclosed by the net infrastructure firm in September 2023.

The problem stems from the usage of “insecure perform name and lack of person enter sanitization,” and pertains to characteristic referred to as Kubernetes volumes, specifically leveraging a quantity sort referred to as local volumes that enable customers to mount disk partition in a pod by specifying or making a PersistentVolume.

“Whereas making a pod that features a native quantity, the kubelet service will (finally) attain the perform ‘MountSensitive(),'” Peled defined. “Inside it, there is a cmd line name to ‘exec.command,’ which makes a symlink between the situation of the quantity on the node and the situation contained in the pod.”

This supplies a loophole that an attacker can exploit by making a PersistentVolume with a specifically crafted path parameter within the YAML file, which triggers command injection and execution through the use of the “&&” command separator.


“In an effort to take away the chance for injection, the Kubernetes workforce selected to delete the cmd name, and exchange it with a local GO perform that may carry out the identical operation ‘os.Symlink(),” Peled stated of the patch put in place.

The disclosure comes as a important safety flaw found within the end-of-life (EoL) Zhejiang Uniview ISC digital camera mannequin 2500-S (CVE-2024-0778, CVSS rating: 9.8) is being exploited by menace actors to drop a Mirai botnet variant referred to as NetKiller that shares infrastructure overlaps with a special botnet named Condi.

“The Condi botnet supply code was launched publicly on Github between August 17 and October 12, 2023,” Akamai said. “Contemplating the Condi supply code has been out there for months now, it’s probably that different menace actors […] are utilizing it.”

Notify of
Inline Feedbacks
View all comments
Previous Post

RedCurl Cybercrime Group Abuses Home windows PCA Software for Company Espionage

Next Post
How to Identify a Cyber Adversary: What to Look For

The best way to Establish a Cyber Adversary: What to Look For

Related Posts