A Proactive Approach to Address Windows Vulnerability (CVE-2023-5528) with Kyverno

22 March 2024

A Proactive Approach to Address Windows Vulnerability (CVE-2023-5528) with Kyverno

Introduction

Recently, Akamai’s Tomer Peled announced a security threat to Kubernetes clusters, CVE-2023-5528. A user who can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. With a CVSS score of 7.2, this vulnerability presents a critical risk of full cluster compromise on default Kubernetes clusters before version 1.28.4. 

Assessing Vulnerability Exposure

Organizations employing Kubernetes versions before 1.28.4, particularly those incorporating Windows nodes, are advised to prioritize updates to mitigate this vulnerability. A simple verification method using kubectl can swiftly reveal the presence of susceptible Windows nodes within the cluster, highlighting immediate risk factors.

kubectl get nodes -o wide --show-labels | grep "os=windows"

Mitigation Strategies

While patching to version 1.28.4 or later remains the primary mitigation approach, immediate application is only sometimes feasible. In light of this, implementing a Kyverno rule is a vital interim defense mechanism, albeit not a substitute for eventual system updates.

The Role of Kyverno in Vulnerability Mitigation

Kyverno, a Kubernetes-native policy engine, offers a streamlined and effective solution to preempt potential exploits of CVE-2023-5528. By validating, mutating, and generating configurations based on predefined conditions, Kyverno’s admission control webhook can enforce policies to block the execution of Persistent Volumes containing malicious paths.

Implementing Kyverno Policies

Deploying Kyverno within the cluster is the initial step toward securing your Kubernetes environment against CVE-2023-5528. Following deployment, applying a Kyverno policy effectively prevents using “&” in Persistent Volumes local paths, thereby thwarting potential attacks.

Sample Kyverno Policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-persistentvolume
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: check-persistentvolume
      match:
        any:
        - resources:
            kinds:
              - PersistentVolume
      preconditions:
        all:
        - key: "{{ request.object.spec.local.path || '' | length(@) }}"
          operator: GreaterThan
          value: 0            
      validate:
        cel:
          expressions:
            - expression: "!object.spec.local.path.contains('&')"
              message: "PV's cannot use local path which contains &"

This policy serves not only as a direct countermeasure to CVE-2023-5528 but also exemplifies the broader capabilities of Kyverno in enhancing Kubernetes cluster security through policy enforcement.

Team Nirmata at KubeCon EU 2024: Modern Security for Modern Apps
Locked Doors, Untrusted Keys: Securing Containers in the Wake of Leaky Vessel Vulnerabilities

Latest

From the blog

The latest industry news, interviews, technologies, and resources.

View all blogs
How does Kyverno work
How Does Kyverno Work? A Simple Explanation for DevOps Teams

Kyverno is a Kubernetes-native policy engine that allows DevOps teams to define, validate, mutate, and generate Kubernetes resources using simple…

Kubernetes nodes/proxy GET → RCE: how “telemetry” permissions can compromise a cluster

A subtle (and frankly surprising) Kubernetes authorization behavior has resurfaced as a practical cluster-compromise path: an identity granted nodes/proxy access…

View all blogs