CVE-2023-3893 Overview
A privilege escalation vulnerability was discovered in Kubernetes affecting Windows nodes running kubernetes-csi-proxy. This security issue allows a user who can create pods on Windows nodes to potentially escalate to administrative privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes running kubernetes-csi-proxy.
Critical Impact
Attackers with pod creation privileges on Windows nodes can escalate to full administrative access, potentially compromising the entire node and any workloads running on it.
Affected Products
- Kubernetes CSI Proxy (multiple versions)
- Kubernetes CSI Proxy 2.0.0-alpha0
- Windows nodes running kubernetes-csi-proxy
Discovery Timeline
- 2023-11-03 - CVE CVE-2023-3893 published to NVD
- 2025-08-01 - Last updated in NVD database
Technical Details for CVE-2023-3893
Vulnerability Analysis
This privilege escalation vulnerability exists in the Kubernetes CSI (Container Storage Interface) Proxy component, which runs specifically on Windows nodes in Kubernetes clusters. The CSI Proxy acts as an intermediary that allows containerized CSI drivers to perform privileged storage operations on Windows nodes without requiring the containers themselves to run with elevated privileges.
The vulnerability stems from improper input validation (CWE-20) in how the CSI Proxy handles requests from pods. When a user with pod creation capabilities submits specially crafted requests through the CSI Proxy interface, they can bypass intended security controls and execute operations with administrative privileges on the Windows node.
The attack requires network access and low-privilege authenticated access to the Kubernetes cluster, specifically the ability to create pods on affected Windows nodes. Once exploited, an attacker gains complete control over the confidentiality, integrity, and availability of the compromised node.
Root Cause
The root cause of this vulnerability is improper input validation (CWE-20) within the kubernetes-csi-proxy component. The CSI Proxy fails to adequately validate and sanitize input from pod requests before executing privileged storage operations. This allows malicious actors to craft requests that escape the intended security boundaries and execute with elevated privileges.
Attack Vector
The attack vector is network-based, requiring an authenticated attacker with the ability to create pods on Windows nodes running kubernetes-csi-proxy. The attacker leverages this access to submit malicious requests through the CSI Proxy interface, which are then executed with administrative privileges due to the improper input validation.
The exploitation does not require user interaction and can be executed remotely by any user with pod creation privileges on affected Windows nodes. The vulnerability allows attackers to achieve full administrative access to the Windows node, enabling them to access sensitive data, modify system configurations, or disrupt services.
Detection Methods for CVE-2023-3893
Indicators of Compromise
- Unusual pod creation activity targeting Windows nodes with CSI Proxy
- Unexpected administrative operations originating from the CSI Proxy process
- Anomalous storage-related API calls with suspicious parameters
- New administrative accounts or privilege changes on Windows nodes
Detection Strategies
- Monitor Kubernetes audit logs for pod creation events on Windows nodes, particularly those interacting with CSI components
- Implement runtime protection on Windows nodes to detect privilege escalation attempts
- Review CSI Proxy logs for malformed or suspicious requests
- Deploy endpoint detection and response (EDR) solutions like SentinelOne Singularity to identify abnormal process behavior
Monitoring Recommendations
- Enable verbose logging for kubernetes-csi-proxy to capture detailed request information
- Configure alerts for administrative privilege usage on Windows nodes
- Monitor Windows Security Event Logs for privilege escalation indicators (Event IDs 4672, 4673)
- Implement network segmentation monitoring between pods and CSI Proxy endpoints
How to Mitigate CVE-2023-3893
Immediate Actions Required
- Identify all Windows nodes running kubernetes-csi-proxy in your Kubernetes clusters
- Review and restrict pod creation permissions using Kubernetes RBAC to limit which users can create pods on affected nodes
- Apply the latest security patches for kubernetes-csi-proxy
- Audit existing pods on Windows nodes for potentially malicious configurations
Patch Information
Kubernetes has released security updates to address this vulnerability. Organizations should update kubernetes-csi-proxy to the latest patched version. For detailed patch information and affected versions, refer to the GitHub Kubernetes Issue and the Kubernetes Security Announcement. NetApp users should also review the NetApp Security Advisory.
Workarounds
- Restrict pod creation privileges on Windows nodes using Kubernetes RBAC policies
- Implement Pod Security Standards to limit pod capabilities on Windows nodes
- Consider isolating Windows nodes with CSI Proxy in dedicated node pools with strict access controls
- Use network policies to restrict communication between pods and CSI Proxy endpoints
# Example RBAC configuration to restrict pod creation on Windows nodes
# Create a ClusterRole that denies pod creation on Windows nodes
kubectl create clusterrole restricted-windows-pod-creator \
--verb=create \
--resource=pods \
--dry-run=client -o yaml | kubectl apply -f -
# Apply node selectors and taints to Windows nodes
kubectl taint nodes <windows-node-name> os=windows:NoSchedule
kubectl label nodes <windows-node-name> kubernetes.io/os=windows
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
