Recently, the Kubernetes Security Response Committee disclosed three interrelated vulnerabilities affecting the Windows versions of Kubelet and the Kubernetes CSI proxy. These vulnerabilities pose a significant risk, allowing even users with limited permissions to escalate their privileges to administrator level on affected nodes.
Kubelet privilege escalation via Pod spec command injection – CVE-2023-3676A malicious actor could craft a special workload specification (Pod spec) with host path strings that contain power shell commands. Due to lack of input sanitization, the Kubelet would pass this crafted path string to the command executor as an argument but it would execute parts of the string as separate commands. These commands would run with the same administrative privileges as Kubelet has. This vulnerability can be exploited by a user capable of creating pods on Windows nodes.