[kubernetes] CVE-2023-3893: Insufficient input sanitization on kubernetes-csi-proxy leads to privilege escalation

[Rita Zhang <rita.z.zhang () gmail com>]

Hello Kubernetes Community,

A security issue was discovered in Kubernetes where a user that can create
pods on Windows nodes running kubernetes-csi-proxy may be able to escalate
to admin privileges on those nodes. Kubernetes clusters are only affected
if they include Windows nodes running kubernetes-csi-proxy.

This issue has been rated ***HIGH*** (
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H>
-
8.8
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H>),
and assigned **CVE-2023-3893**

*Am I vulnerable?*

Any kubernetes environment with Windows nodes that are running
kubernetes-csi-proxy is impacted.  This is a common default configuration
on Windows nodes.  Run `kubectl get nodes -l kubernetes.io/os=windows`
<http://kubernetes.io/os=windows> to see if any Windows nodes are in use.

*Affected Versions*

- kubernetes-csi-proxy <= v2.0.0-alpha.0

- kubernetes-csi-proxy <= v1.1.2

*How do I mitigate this vulnerability?*

The provided patch fully mitigates the vulnerability and has no known side
effects.  Full mitigation for this class of issues requires patches applied
for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.

Outside of applying the provided patch, there are no known mitigations to
this vulnerability.

*Fixed Versions*

- kubernetes-csi-proxy v2.0.0-alpha.1

- kubernetes-csi-proxy v1.1.3

These releases will be published over the course of today, August 23rd,
2023.

To upgrade: cordon the node, stop the associated Windows service, replace
the csi-proxy.exe binary, restart the associated Windows service, and
un-cordon the node.  See the installation docs for more details:
https://github.com/kubernetes-csi/csi-proxy#installation

If a Windows host process daemon set is used to run kubernetes-csi-proxy
such as
https://github.com/kubernetes-csi/csi-driver-smb/blob/master/charts/latest/csi-driver-smb/templates/csi-proxy-windows.yaml,
simply upgrade the image to a fixed version such as
ghcr.io/kubernetes-sigs/sig-windows/csi-proxy:v1.1.3

*Detection*

Kubernetes audit logs can be used to detect if this vulnerability is being
exploited. Pod create events with embedded powershell commands are a strong
indication of exploitation.

If you find evidence that this vulnerability has been exploited, please
contact security () kubernetes io

*Additional Details*

See the GitHub issue for more details:
https://github.com/kubernetes/kubernetes/issues/119594

*Acknowledgements*

This vulnerability was discovered by James Sturtevant @jsturtevant and Mark
Rossetti @marosset during the process of fixing CVE-2023-3676 (that
original CVE was reported by Tomer Peled @tomerpeled92)

The issue was fixed and coordinated by the fix team:

James Sturtevant @jsturtevant

Mark Rossetti @marosset

Andy Zhang @andyzhangx

Justin Terry @jterry75

Kulwant Singh @KlwntSingh

Micah Hausler @micahhausler

Rita Zhang @ritazh

and release managers:

Mauricio Poppe @mauriciopoppe

Thank You,

Rita Zhang on behalf of the Kubernetes Security Response Committee