Skip to content

CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation #119339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
enj opened this issue Jul 14, 2023 · 3 comments
Closed

CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation #119339

enj opened this issue Jul 14, 2023 · 3 comments
Labels
area/kubelet area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/windows Categorizes an issue or PR as relevant to SIG Windows. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@enj
Copy link
Member

enj commented Jul 14, 2023
edited
Loading

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - HIGH (8.8)

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

Am I vulnerable?

Any kubernetes environment with Windows nodes is impacted. Run kubectl get nodes -l kubernetes.io/os=windows to see if any Windows nodes are in use.

Affected Versions

  • kubelet <= v1.28.0
  • kubelet <= v1.27.4
  • kubelet <= v1.26.7
  • kubelet <= v1.25.12
  • kubelet <= v1.24.16

How do I mitigate this vulnerability?

The provided patch fully mitigates the vulnerability and has no known side effects. Full mitigation for this class of issues requires patches applied for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.

Outside of applying the provided patch, there are no known mitigations to this vulnerability.

Fixed Versions

To upgrade, refer to the documentation:
https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/

Detection

Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded powershell commands are a strong indication of exploitation. Config maps and secrets that contain embedded powershell commands and are mounted into pods are also a strong indication of exploitation.

If you find evidence that this vulnerability has been exploited, please contact [email protected]

Acknowledgements

This vulnerability was reported by Tomer Peled @tomerpeled92

The issue was fixed and coordinated by the fix team:

James Sturtevant @jsturtevant
Mark Rossetti @marosset
Andy Zhang @andyzhangx
Justin Terry @jterry75
Kulwant Singh @KlwntSingh
Micah Hausler @micahhausler
Rita Zhang @ritazh

and release managers:

Jeremy Rickard @jeremyrickard

/triage accepted
/lifecycle frozen
/area security
/kind bug
/committee security-response
@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. triage/accepted Indicates an issue or PR is ready to be actively worked on. area/security kind/bug Categorizes issue or PR as related to a bug. committee/security-response Denotes an issue or PR intended to be handled by the product security committee. labels Jul 14, 2023
@jeremyrickard jeremyrickard changed the title TITLE: PLACEHOLDER ISSUE CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation Aug 23, 2023
@jeremyrickard
Copy link
Contributor

/area security
/kind bug
/committee security-response
/label official-cve-feed
/sig windows
/area kubelet

@k8s-ci-robot k8s-ci-robot added sig/windows Categorizes an issue or PR as relevant to SIG Windows. area/kubelet labels Aug 23, 2023
@k8s-ci-robot
Copy link
Contributor

@jeremyrickard: Can not set label official-cve-feed: Must be member in one of these teams: [security-response-committee]

In response to this:

/area security
/kind bug
/committee security-response
/label official-cve-feed
/sig windows
/area kubelet

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@ritazh
Copy link
Member

ritazh commented Aug 23, 2023

/label official-cve-feed

@k8s-ci-robot k8s-ci-robot added the official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) label Aug 23, 2023
@miwithro miwithro mentioned this issue Aug 23, 2023
Closed
@wzshiming wzshiming mentioned this issue Aug 29, 2023
Open
@enj enj closed this as completed Oct 31, 2023
@k8s-sec-alert k8s-sec-alert mentioned this issue Nov 1, 2023
Open
This was referenced May 7, 2024
Open
Open
doanac pushed a commit to lmp-mirrors/meta-virtualization that referenced this issue Sep 5, 2024
@anusurivijay @zeddii
kubernetes: Security fix for CVE-2023-3676 and CVE-2023-3955
e0cd09e 
Upstream-commit:
kubernetes/kubernetes@7da6d72
& kubernetes/kubernetes@a53faf5

Reference:
kubernetes/kubernetes#119339

Signed-off-by: Vijay Anusuri <[email protected]>
Signed-off-by: Bruce Ashfield <[email protected]>
jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/meta-virtualization that referenced this issue Sep 9, 2024
@anusurivijay @jpuhlman
kubernetes: Security fix for CVE-2023-3676 and CVE-2023-3955
398bc7a 
Source: meta-virtualization
MR: 162401
Type: Integration
Disposition: Merged from meta-virtualization
ChangeID: e0cd09e
Description:

Upstream-commit:
kubernetes/kubernetes@7da6d72
& kubernetes/kubernetes@a53faf5

Reference:
kubernetes/kubernetes#119339

Signed-off-by: Vijay Anusuri <[email protected]>
Signed-off-by: Bruce Ashfield <[email protected]>
Signed-off-by: Jeremy A. Puhlman <[email protected]>
daregit pushed a commit to daregit/yocto-combined that referenced this issue Apr 3, 2025
@anusurivijay @zeddii
src/meta-virtualization:kubernetes: Security fix for CVE-2023-3676 and
ffdfd60 
…CVE-2023-3955

Upstream-commit:
kubernetes/kubernetes@7da6d72
& kubernetes/kubernetes@a53faf5

Reference:
kubernetes/kubernetes#119339

Signed-off-by: Vijay Anusuri <vanusurimvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfieldgmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/kubelet area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/windows Categorizes an issue or PR as relevant to SIG Windows. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
[sig-windows] Issue Tracking
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ritazh @enj @k8s-ci-robot @jeremyrickard