Kubernetes vulnerability allows RCE on Windows endpoints (CVE-2023-3676)

Three high-severity Kubernetes vulnerabilities (CVE-2023-3676, CVE-2023-3893, CVE-2023-3955) could allow attackers to execute code remotely and gain control over all Windows nodes in the Kubernetes cluster.


About the vulnerabilities

CVE-2023-3676, discovered by Akamai researcher Tomer Peled, is a command injection vulnerability that can be exploited by applying a malicious YAML file on the cluster.

“The Kubernetes framework uses YAML files for basically everything — from configuring the Container Network Interface to pod management and even secret handling,” Peled explained.

The vulnerability can be exploited on default installations of Kubernetes and is a result of insufficient input sanitization on Windows nodes that leads to privilege escalation. The insufficient input sanitization combined with exec.Command creates the opportunity for a command injection.

As Peled demonstrated, an attacker with privileges required to interact with the Kubernetes API can exploit this flaw to inject code that will be executed on remote Windows machines with SYSTEM privileges.

This vulnerability led to the discovery of additional command injection vulnerabilities tracked as CVE-2023-3893 and CVE-2023-3955, both of which are caused by insecure function call and lack of user input sanitization.


The three vulnerabilities affect all Kubernetes versions below v1.28. The Kubernetes team has provided fixed versions in late August.

Admins are advised to upgrade to a fixed version, but if that’s not possible, Akamai has outlined alternative mitigation actions.

The Kubernetes team has also explained how CVE-2023-3676 exploitation can be detected by analyzing Kubernetes audit logs: “Pod create events with embedded powershell commands are a strong indication of exploitation. Config maps and secrets that contain embedded powershell commands and are mounted into pods are also a strong indication of exploitation.” (They’ve also asked users to share evidence of exploitation with them.)

Peled has also provided a proof-of-concept YAML file to demonstrate how the flaw can be exploited.

“CVE-2023-3676 requires low privileges and, therefore, sets a low bar for attackers: All they need to have is access to a node and apply privileges,” he said.

“High impact coupled with ease of exploitation usually means that there is a higher chance of seeing this attack (and similar attacks) on organizations. In fact, the only limiting factor with this vulnerability is its scope — it is restricted to Windows nodes, which are not very popular today.”

Don't miss