=================================================================== CERT-Renater Note d'Information No. 2023/VULN262 _____________________________________________________________________ DATE : 24/08/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running kubernetes-csi-proxy versions prior to 2.0.0-alpha.1, 1.1.3. ====================================================================https://discuss.kubernetes.io/t/security-advisory-cve-2023-3893-insufficient-input-sanitization-on-kubernetes-csi-proxy-leads-to-privilege-escalation/25206 _____________________________________________________________________ [Security Advisory] CVE-2023-3893: Insufficient input sanitization on kubernetes-csi-proxy leads to privilege escalation Announcements Aug 23 Security_k8s.io Hello Kubernetes Community, A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes running kubernetes-csi-proxy may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes running kubernetes-csi-proxy. This issue has been rated HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2 - 8.8 2), and assigned CVE-2023-3893 Am I vulnerable? Any kubernetes environment with Windows nodes that are running kubernetes-csi-proxy is impacted. This is a common default configuration on Windows nodes. Run kubectl get nodes -l kubernetes.io/os=windows to see if any Windows nodes are in use. Affected Versions kubernetes-csi-proxy <= v2.0.0-alpha.0 kubernetes-csi-proxy <= v1.1.2 How do I mitigate this vulnerability? The provided patch fully mitigates the vulnerability and has no known side effects. Full mitigation for this class of issues requires patches applied for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893. Outside of applying the provided patch, there are no known mitigations to this vulnerability. Fixed Versions kubernetes-csi-proxy v2.0.0-alpha.1 kubernetes-csi-proxy v1.1.3 These releases will be published over the course of today, August 23rd, 2023. To upgrade: cordon the node, stop the associated Windows service, replace the csi-proxy.exe binary, restart the associated Windows service, and un-cordon the node. See the installation docs for more details: GitHub - kubernetes-csi/csi-proxy: CSI Proxy utility to enable CSI Plugins on Windows If a Windows host process daemon set is used to run kubernetes-csi-proxy such as https://github.com/kubernetes-csi/csi-driver-smb/blob/master/charts/latest/csi-driver-smb/templates/csi-proxy-windows.yaml, simply upgrade the image to a fixed version such as Package sig-windows/csi-proxy · GitHub Detection Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded powershell commands are a strong indication of exploitation. If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io Additional Details See the GitHub issue for more details: CVE-2023-3893: Insufficient input sanitization on kubernetes-csi-proxy leads to privilege escalation · Issue #119594 · kubernetes/kubernetes · GitHub 2 Acknowledgements This vulnerability was discovered by James Sturtevant @jsturtevant and Mark Rossetti @marosset during the process of fixing CVE-2023-3676 (that original CVE was reported by Tomer Peled @tomerpeled92) The issue was fixed and coordinated by the fix team: James Sturtevant @jsturtevant Mark Rossetti @marosset Andy Zhang @andyzhangx Justin Terry @jterry75 Kulwant Singh @KlwntSingh Micah Hausler @micahhausler Rita Zhang @ritazh and release managers: Mauricio Poppe @mauriciopoppe Thank You, Rita Zhang on behalf of the Kubernetes Security Response Committee ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================