The Kubernetes community discovered security vulnerabilities CVE-2023-3676 and CVE-2023-3955 related to Windows nodes. If an attacker has the permission to create pods on Windows nodes in the cluster, they can exploit the vulnerabilities to grant themselves administrative permissions on the node.
CVE-2023-3676 and CVE-2023-3955 are rated as high severity and their Common Vulnerability Scoring System (CVSS) score is 8.8. For more information about these vulnerabilities, see #119595 and #119339.
Affected versions
Only Container Service for Kubernetes (ACK) clusters that contain Windows nodes are affected.
You can run the kubectl get nodes -l kubernetes.io/os=windows command to check if there are Windows nodes in your cluster.
The following kubelet versions are affected by the vulnerabilities, and all minor versions within each major version also need to be fixed.
kubelet ≤ v1.28.0 (fixed in v1.28.1 and later)
kubelet ≤ v1.27.4 (fixed in v1.27.5 and later)
kubelet ≤ v1.26.7 (fixed in v1.26.8 and later)
kubelet ≤ v1.25.12 (fixed in v1.25.13 and later)
kubelet ≤ v1.24.16 (fixed in v1.24.17 and later)
Precautions
These vulnerabilities are fixed in the container runtime for ACK clusters that run Kubernetes 1.28. We recommend that you upgrade the version of your cluster promptly to apply the fix. For more information, see Update procedure, methods, and duration.
You can follow the principle of least privilege to minimize the permissions of creating role-based access control (RBAC) pods for specific clusters. You can also enable the cluster auditing feature of the API server to observe and record suspicious pod creations.