How to hack Kubernetes pods and execute malicious code remotely

How to hack Kubernetes pods and execute malicious code remotely

2023-09-15 18:02:00

According to findings from Akamai security experts, a high severity vulnerability in Kubernetes can be exploited to achieve remote code execution (RCE) on any Windows endpoint that is part of the cluster.

The flaw, identified as CVE-2023-3676 and with a CVSS score of 8.8, affects the processing of YAML files by Kubernetes. The container orchestration system uses these files for various purposes, including configuration, management, and secret handling, among other things.
YAML files are used for almost all aspects of Kubernetes operation, including configuration, automatic deployment, scalability, managing containerized application pods, and many others.

In 2022, the SnakeYAML constructor was discovered to include the CVE-2022-1471 vulnerability, which allowed remote code execution in susceptible applications.

Kubernetes itself found many vulnerabilities, such as CVE-2021-25749 (workloads could run as ContainerAdministrator even if the runAsNonRoot option was set to true), CVE-2017-1002101 and CVE-2021-25741 (race situations and symlinks in combination with the subPath subproperty in a YAML file).

When users establish a pod, they also have the option to create a shared directory between the pod and the host. This directory is called “volumes”.

For volumes to be accessible, the volume parameter must be added to the YAML file, in addition to mountPath (which specifies the location of the container) and hostPath (which specifies the location of the host).

You can also mount the shared directory at a specific location with the help of subPath subproperty. This YAML file is then read by kubelet, which checks each parameter in the YAML file and uses the internal isLinkPath function to ensure that no symbolic links are formed in the subPath argument. A PowerShell command is generated to determine the path type by taking the subPath subproperty of the YAML file and using it as a parameter in the command. After that, the exec. The command function call receives this PowerShell command and processes it.

Additional investigation discovered that the “exec.Command” variable can be used in conjunction with user input that has not been sanitized, resulting in a command injection vulnerability.

Disable the use of Volume.Subpath, use the open source Open Policy Agent (OPA) to set rules to prohibit particular YAML files, and apply role-based access control (RBAC) to restrict the number of users who can perform activities on a cluster are some of the recommended remedies.

“CVE-2023-3676 enforces least privilege and, as a result, sets a low threshold for attackers. All an attacker needs is access to a node and the ability to apply privileges. “The high impact coupled with the ease of exploitation generally means that there is no greater likelihood of seeing this attack (and similar attacks) in organizations,” he writes. Akamai. “The high impact coupled with ease of exploitation also means there is a higher likelihood of seeing similar attacks.

He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cybersecurity analyst in 2003. He actively works as an antimalware expert. He also worked for security companies such as Kaspersky Lab. His daily work includes investigating new malware and cybersecurity incidents. He also has a deep level of knowledge in mobile security and mobile vulnerabilities.

Send news tips to or

You can also find us on Telegram

#hack #Kubernetes #pods #execute #malicious #code #remotely


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent News

Editor's Pick