Don't want your Kubernetes Windows nodes hijacked? Patch this hole now
A now-fixed command-injection bug in Kubernetes can be exploited by a remote attacker to gain code execution with SYSTEM privileges on all Windows endpoints in a cluster, and thus fully take over those systems, according to Akamai researcher Tomer Peled.
Peled found the vulnerability, tracked as CVE-2024-9042, while conducting research for a presentation at last year's DEF CON infosec event about another Kubernetes-related flaw involving command injection in the open source container platform's sidecar project git-sync.
The latest vulnerability received a medium-severity score of 5.9 out of 10, and it affects Kubernetes versions earlier than 1.32.1 with beta features enabled.
Additionally, to exploit CVE-2024-9042, the Kubernetes cluster must not only be running Windows endpoints – the flaw doesn't affect any other OSes – it must be configured to run Log Query. This is a new, beta-level mechanism for pulling up the system status of remote machines using a command-line interface or a web API via a tool like Curl.
The vulnerability allows an attacker who has the ability to send such a query to a node to inject commands into that system with high privileges via a pattern parameter in the request. Log Query does not sufficiently validate and sanitize that parameter, which if carefully formatted will be executed on that Windows node.
