CVE-2024-5321: Kubernetes Windows Log Disclosure Flaw

CVE-2024-5321 Overview

A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and NT AUTHORITY\Authenticated Users may be able to modify container logs. This Improper Access Control vulnerability (CWE-276) affects the confidentiality and integrity of container log data in Windows-based Kubernetes environments.

Critical Impact

Unauthorized users on Windows nodes can read sensitive container logs, while any authenticated user may modify logs, potentially enabling information disclosure, log tampering, and forensic evidence destruction.

Affected Products

• Kubernetes clusters with Windows nodes
• Windows-based kubelet deployments
• Container runtime environments on Windows nodes

Discovery Timeline

• July 18, 2024 - CVE-2024-5321 published to NVD
• November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2024-5321

Vulnerability Analysis

This vulnerability stems from incorrect default permissions (CWE-276) configured on container log files within Kubernetes Windows node deployments. The issue allows unprivileged local users belonging to the BUILTIN\Users group to read container logs that may contain sensitive application data, credentials, or internal system information. Additionally, members of the NT AUTHORITY\Authenticated Users group can modify these log files.

The local attack vector requires an attacker to have existing access to a Windows node within the Kubernetes cluster. Once access is obtained, the overly permissive file system ACLs on container logs expose sensitive data and allow tampering with audit trails.

Root Cause

The root cause is improper default permission configuration (CWE-276) on container log directories and files created by the kubelet on Windows nodes. Unlike Linux nodes where proper file permissions are enforced, Windows nodes were configured with overly permissive Access Control Lists (ACLs) that granted read access to BUILTIN\Users and modify access to NT AUTHORITY\Authenticated Users, violating the principle of least privilege.

Attack Vector

Exploitation of this vulnerability requires local access to a Windows node within the Kubernetes cluster. An attacker who has gained initial access to a Windows node—whether through a compromised user account, another vulnerability, or legitimate low-privileged access—can navigate to the container log directories and read or modify log files without requiring elevated privileges.

The attack flow involves:

1. Attaining local access to a Windows Kubernetes node
2. Navigating to container log storage locations
3. Reading sensitive information from logs (BUILTIN\Users permission)
4. Optionally modifying or deleting logs to cover tracks (NT AUTHORITY\Authenticated Users permission)

For technical details on the vulnerability mechanism, refer to the GitHub Issue Report and the Kubernetes Security Announcement.

Detection Methods for CVE-2024-5321

Indicators of Compromise

• Unexpected access to container log directories by non-administrative users
• Modified timestamps on container log files without corresponding application activity
• Suspicious user account activity accessing kubelet log storage paths
• Audit log entries showing BUILTIN\Users or unauthenticated users reading container logs

Detection Strategies

• Enable Windows Security Event logging (Event ID 4663) to monitor file access on container log directories
• Implement file integrity monitoring (FIM) on container log storage locations
• Deploy SentinelOne agents on Windows Kubernetes nodes to detect anomalous file access patterns
• Review Windows ACLs on container log directories using icacls or PowerShell commands

Monitoring Recommendations

• Configure centralized log collection before logs can be tampered with locally
• Establish baseline access patterns for container log directories and alert on deviations
• Monitor for privilege escalation attempts following log access
• Implement real-time alerting for bulk log file reads or modifications by non-service accounts

How to Mitigate CVE-2024-5321

Immediate Actions Required

• Audit current ACLs on container log directories across all Windows Kubernetes nodes
• Restrict file system permissions to only allow SYSTEM, Administrators, and the kubelet service account
• Upgrade Kubernetes to a patched version as specified in the security announcement
• Review container logs for signs of unauthorized access or tampering

Patch Information

Kubernetes has addressed this vulnerability in updated releases. Organizations should consult the Kubernetes Security Announcement for specific version information and patching guidance. Apply the latest security patches to all Windows nodes in affected clusters.

Workarounds

• Manually correct ACLs on container log directories to remove BUILTIN\Users read access and NT AUTHORITY\Authenticated Users modify access
• Implement a scheduled task or startup script to enforce proper permissions on log directories
• Use network segmentation to limit which users can access Windows Kubernetes nodes
• Deploy centralized logging solutions to capture logs before potential local tampering

# Correct container log directory permissions on Windows nodes
# Replace <log_directory_path> with actual kubelet log path
$logPath = "C:\var\log\containers"
$acl = Get-Acl $logPath
$acl.SetAccessRuleProtection($true, $false)
$adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$systemRule = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($adminRule)
$acl.SetAccessRule($systemRule)
Set-Acl -Path $logPath -AclObject $acl