Akamai has offered security teams a proof-of-concept YAML file and Open Policy Agent rule for blocking a high-severity vulnerability in Kubernetes that was originally patched late last year.
Akamai researcher Tomer Peled said in a March 13 blog post that the vulnerability — CVE-2023-5528 — allows remote code execution with System privileges on all Windows endpoints within a Kubernetes cluster. Peled said to exploit this flaw, the attacker needs to apply malicious YAML files on the Kubernetes cluster — a move that can lead to full takeover on all Windows nodes in a cluster.
Because the Kubernetes framework uses YAML files for basically everything — from configuring Container Network Interface plug-ins to pod management, and even secret handling — Peled said an exploitation of this vulnerability could have disastrous consequences.
“The only mitigation available is to patch Kubernetes to a version later than 1.28.3,” said Peled.
It should be noted that the NIST CVE post said the Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
Jason Soroko, senior vice president of product at Sectigo, added that this flaw represents an interesting and unique development in the world of Kubernetes because the attack targets storage management plugins, rather than the core code of Kubernetes itself.
“The kind of rigor that’s put into the security of a core system is typically more than its peripheral integration points, and I think that's what we are seeing here with this vulnerability,” said Soroko. “For DevOps practitioners, that means taking inventory of your plugins and integrations so that when a vulnerability like this gets published, you can quickly determine if the patch applies to you.”
