CVE-2023-5528 Overview
A privilege escalation vulnerability was discovered in Kubernetes affecting Windows nodes. Users with the ability to create pods and persistent volumes on Windows nodes can potentially escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes, making this a targeted vulnerability affecting specific deployment configurations.
Critical Impact
Authenticated attackers can escalate to full administrator privileges on Windows nodes, potentially compromising the entire node and any workloads running on it.
Affected Products
- Kubernetes (multiple versions)
- Microsoft Windows (when running as Kubernetes nodes)
- Fedora 37, 38, and 39
Discovery Timeline
- November 14, 2023 - CVE-2023-5528 published to NVD
- January 3, 2025 - Last updated in NVD database
Technical Details for CVE-2023-5528
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) in Kubernetes when handling persistent volumes on Windows nodes. The in-tree storage plugins for Windows fail to properly validate user-supplied input when creating or mounting volumes, allowing an attacker who can create pods and persistent volumes to inject malicious commands or manipulate volume mount operations.
The attack requires network access and low privileges (authenticated user with pod/PV creation permissions), but requires no user interaction. Successful exploitation results in complete compromise of confidentiality, integrity, and availability of the affected Windows node.
Root Cause
The root cause is improper input validation in the Kubernetes in-tree storage plugin implementation for Windows nodes. When processing persistent volume specifications, the code fails to adequately sanitize user-controlled parameters, creating an avenue for privilege escalation. This affects only clusters utilizing in-tree storage plugins on Windows nodes—clusters using CSI (Container Storage Interface) drivers or running exclusively Linux nodes are not vulnerable.
Attack Vector
The attack vector is network-based, requiring an authenticated user with specific Kubernetes RBAC permissions to create pods and persistent volumes. The attacker crafts a malicious persistent volume specification that, when processed by the kubelet on a Windows node, executes privileged operations. This could involve path manipulation, command injection through volume parameters, or exploitation of how Windows handles certain storage operations.
The attack sequence involves:
- Attacker authenticates to the Kubernetes cluster with credentials allowing pod and PV creation
- A malicious PersistentVolume manifest is crafted with specially constructed parameters targeting Windows-specific storage handling
- When a pod referencing this PV is scheduled to a Windows node, the kubelet processes the volume mount
- Due to insufficient validation, the malicious parameters trigger privileged code execution on the Windows node
Detection Methods for CVE-2023-5528
Indicators of Compromise
- Unusual PersistentVolume or PersistentVolumeClaim resources created by non-administrative users
- Unexpected privilege escalation events or new administrator accounts on Windows nodes
- Anomalous kubectl or API server activity related to storage resource creation
- Suspicious processes spawned by the kubelet process on Windows nodes
Detection Strategies
- Monitor Kubernetes audit logs for PersistentVolume and PersistentVolumeClaim creation events, particularly from users who should not typically manage storage resources
- Implement Kubernetes admission controllers to validate and restrict PV specifications before they are accepted
- Deploy endpoint detection on Windows nodes to identify privilege escalation attempts or unauthorized administrative actions
- Use SentinelOne Singularity Platform to detect anomalous process behavior on Windows Kubernetes nodes
Monitoring Recommendations
- Enable verbose audit logging for storage-related Kubernetes API operations
- Configure alerts for any PV creation using in-tree storage classes on Windows nodes
- Monitor Windows Security event logs on affected nodes for privilege escalation indicators (Event ID 4672, 4673)
- Establish baseline behavior for kubelet processes and alert on deviations
How to Mitigate CVE-2023-5528
Immediate Actions Required
- Upgrade Kubernetes to a patched version as specified in the Kubernetes Security Announcement
- Restrict RBAC permissions for creating PersistentVolumes and PersistentVolumeClaims to only trusted administrators
- Migrate from in-tree storage plugins to CSI drivers where possible, as CSI implementations are not affected
- Review existing PersistentVolume resources for suspicious configurations
Patch Information
Patches have been released by the Kubernetes project. Administrators should consult the GitHub Issue #121879 for specific version information and patch details. Fedora users should apply updates available through the Fedora Package Announcements. Additional vendor guidance is available from the NetApp Security Advisory.
Workarounds
- If upgrading is not immediately possible, use admission controllers (like OPA Gatekeeper or Kyverno) to block PV creation using in-tree storage classes
- Limit user permissions using RBAC to prevent unauthorized users from creating PersistentVolumes
- Consider isolating Windows nodes into separate node pools with restricted scheduling policies
- Temporarily disable in-tree storage plugins on Windows nodes if workloads can tolerate CSI alternatives
# Example: RBAC restriction to prevent non-admin PV creation
kubectl create clusterrole pv-reader --verb=get,list,watch --resource=persistentvolumes
kubectl create clusterrolebinding restrict-pv-access --clusterrole=pv-reader --group=developers
# Remove any existing bindings that grant create permissions on PVs to non-admins
kubectl delete clusterrolebinding allow-pv-creation-developers 2>/dev/null || true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
