A security bug in the widely used Kubernetes container-management system allows attackers to remotely execute code with System privileges on Windows endpoints, potentially leading to full takeover of all Windows nodes within a Kubernetes cluster.
Akamai security researcher Tomer Peled discovered the flaw, which is tracked as CVE-2023-5528 and has a CVSS score of 7.2. Exploitation lies in manipulating Kubernetes volumes, a feature aimed at supporting the sharing of data between pods on a cluster, or storing it persistently outside of a pod’s lifecycle, he explained in a blog post published March 13.
Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows; however, “there are many different volume types developers can use,” creating different attack scenarios, Peled observed in the post.
The patch created for the flaw removes the opportunity for injection by deleting the cmd call, and replacing it with a native GO function that will perform the same operation to create the symlink.