CVE-2023-2878: Kubernetes Secrets Store CSI Driver Vulnerability

CVE-2023-2878 Overview

CVE-2023-2878 is an Information Leakage vulnerability affecting Kubernetes secrets-store-csi-driver in versions before 1.3.3. The vulnerability allows service account tokens to be disclosed in logs, potentially exposing sensitive authentication credentials to unauthorized users with log access.

Critical Impact

Service account tokens logged in plaintext can be harvested by attackers with log access, enabling lateral movement and privilege escalation within Kubernetes clusters.

Affected Products

• Kubernetes secrets-store-csi-driver versions before 1.3.3

Discovery Timeline

• June 7, 2023 - CVE-2023-2878 published to NVD
• February 13, 2025 - Last updated in NVD database

Technical Details for CVE-2023-2878

Vulnerability Analysis

This vulnerability is classified under CWE-532 (Insertion of Sensitive Information into Log File). The Kubernetes secrets-store-csi-driver component improperly logs service account tokens during normal operations, which can expose these sensitive credentials to anyone with access to the container or pod logs.

In Kubernetes environments, service account tokens are critical authentication credentials that allow pods to interact with the Kubernetes API. When these tokens are inadvertently written to log files, they become accessible to operators, developers, or attackers who have read access to those logs. This creates a significant security gap in environments where log aggregation systems collect and store these logs centrally.

Root Cause

The root cause of this vulnerability lies in improper handling of sensitive data during logging operations within the secrets-store-csi-driver. The driver fails to properly sanitize or redact service account token values before writing log entries, resulting in plaintext credential exposure. This is a common logging anti-pattern where debug or informational log statements inadvertently capture authentication tokens, secrets, or other sensitive data structures.

Attack Vector

The attack vector is local in nature, requiring an attacker to have access to the system where logs are stored or to a centralized logging infrastructure. An attacker could exploit this vulnerability by:

1. Gaining access to pod logs through kubectl logs commands
2. Accessing centralized log aggregation systems (e.g., Elasticsearch, Splunk, Loki)
3. Reading container log files directly from cluster nodes
4. Exploiting misconfigured log shipping pipelines

Once a service account token is obtained from the logs, the attacker can impersonate the associated service account to access Kubernetes resources, potentially escalating privileges depending on the service account's RBAC permissions.

The vulnerability mechanism involves the secrets-store-csi-driver logging service account tokens during operations. Attackers with log access can extract these tokens and use them to authenticate against the Kubernetes API. For technical details, refer to the GitHub Issue #118419 and the Kubernetes Security Announcement.

Detection Methods for CVE-2023-2878

Indicators of Compromise

• Unexpected authentication activities from service accounts that should be dormant or inactive
• Service account token usage from IP addresses outside the expected pod network ranges
• Anomalous API calls using service accounts associated with secrets-store-csi-driver pods
• Evidence of log file access patterns targeting secrets-store-csi-driver container logs

Detection Strategies

• Implement log monitoring to detect patterns matching Kubernetes service account token formats (JWT tokens beginning with eyJ)
• Monitor Kubernetes audit logs for service account authentication from unexpected sources or times
• Deploy runtime security monitoring to detect unusual file access to log directories
• Use SentinelOne Singularity Cloud Security to monitor for suspicious Kubernetes API activity and credential abuse

Monitoring Recommendations

• Enable Kubernetes audit logging and monitor for authentication events using service accounts
• Configure alerting on centralized logging platforms for potential token exposure patterns
• Implement log retention policies that minimize exposure window for sensitive data
• Deploy SentinelOne agents on Kubernetes nodes to detect suspicious process behavior and lateral movement attempts

How to Mitigate CVE-2023-2878

Immediate Actions Required

• Upgrade secrets-store-csi-driver to version 1.3.3 or later immediately
• Rotate all service account tokens that may have been exposed in logs prior to the upgrade
• Review log access permissions and restrict access to secrets-store-csi-driver logs
• Audit centralized logging systems for historical token exposure

Patch Information

The vulnerability is addressed in secrets-store-csi-driver version 1.3.3 and later. Organizations should upgrade to the latest available version to receive this fix along with any subsequent security improvements. For detailed information, see the Kubernetes Security Announcement and the GitHub Issue #118419.

Workarounds

• Restrict access to pod logs using Kubernetes RBAC policies to limit who can execute kubectl logs
• Implement log scrubbing or redaction rules in your log aggregation pipeline to remove JWT tokens
• Reduce log verbosity for secrets-store-csi-driver containers until patching is complete
• Consider using short-lived tokens with projected service account token volumes to minimize exposure impact

# Example: Restrict log access using RBAC
# Create a ClusterRole that denies pod log access
kubectl create clusterrole restricted-logs --verb=get,list,watch --resource=pods
# Note: To restrict log access, do NOT include 'pods/log' subresource in allowed resources
# Apply this role to users/groups who should not access sensitive logs