The most recent version of Kubernetes, a popular container orchestration system, has released patches that address a series of vulnerabilities. These vulnerabilities allowed attackers to exploit the subPath property of YAML configuration files and execute malicious commands on Windows hosts. This discovery was made by Akamai researcher Tomer Peled, who found a critical vulnerability that allowed remote code execution with SYSTEM privileges on Windows endpoints within a Kubernetes cluster.
To exploit this vulnerability, an attacker would need to apply a malicious YAML file to the cluster. Kubernetes uses YAML language to write configuration and management files, making it an attractive target for potential attackers. This is because it provides a direct way to push user input to the Kubernetes engine and have it parsed and interpreted.
YAML parsing issues have been a concern in the past, with examples such as the CVE-2022-1471 vulnerability in the SnakeYaml parser impacting the Kubernetes Java client. Additionally, the CVE-2021-25749 flaw allowed misspelled user names to be included in a YAML file, resulting in the execution of workloads as root. Two other vulnerabilities, CVE-2017-1002101 and CVE-2021-25741, demonstrated how the subPath subproperty in a YAML file could be used with symbolic links (symlinks) to access files outside the container, breaking the isolation. It was these vulnerabilities that sparked Peled’s investigation into the issue.
Kubernetes allows the mounting of a directory from the host system inside a container using a property called volume. This feature is widely used and includes several subproperties to define the path of the directory on the host and the mount path inside the container. The mountPath further has a subPath property that is processed by kubelet, a core Kubernetes service.
During his investigation, Peled found that when the subPath string is processed, kubelet also checks if it is a symlink as a defense mechanism against the previously mentioned vulnerabilities. However, it does this by invoking a PowerShell command using the “exec.Command” function call. This creates a potential vulnerability as an attacker could attach PowerShell code to the subPath string, which would then be executed.
PowerShell allows users to evaluate values inside strings before they are used. This can be achieved by adding $(<expression_to_be_evaluated>) to the string. Any PowerShell command can be inserted between the parentheses and will be evaluated, including commands such as $(Start-Process cmd), $(Invoke-Expression exp), and other PowerShell treats.
Peled’s discovery of this vulnerability prompted the release of the latest version of Kubernetes, which includes patches to address the issue. These patches prevent attackers from executing malicious PowerShell code through the subPath property of YAML configuration files. Users are strongly advised to update their Kubernetes installations to the latest version to ensure their systems are protected.
In conclusion, the latest version of Kubernetes has addressed a critical vulnerability that allowed attackers to execute malicious commands on Windows hosts using the subPath property of YAML configuration files. This discovery by Tomer Peled led to the identification of two other similar vulnerabilities. By applying a malicious YAML file to a Kubernetes cluster, an attacker could achieve remote code execution with SYSTEM privileges on Windows endpoints. Kubernetes users should update to the latest version to protect against these vulnerabilities.