A critical vulnerability in Kubernetes, designated as CVE-2024-9042, has been discovered, enabling attackers to execute remote code with SYSTEM privileges on all Windows nodes within a Kubernetes cluster.

This vulnerability, identified by Akamai security researcher Tomer Peled, specifically affects the new beta logging feature called “Log Query.”

The vulnerability can be exploited with a simple HTTP GET request, potentially leading to full control of all Windows nodes in affected clusters.

Kubernetes Cluster RCE Vulnerability

The issue lies in Kubernetes’ Log Query functionality, which allows users to query system logs on remote nodes via the Kubernetes API.

While designed for operational convenience, this feature inadvertently introduced a command injection vulnerability. Attackers can craft malicious requests that exploit insufficient input validation in the pattern parameter of the Log Query API.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

This flaw enables arbitrary PowerShell commands to be executed on Windows nodes.

To exploit this vulnerability:

1. The cluster must be running Windows nodes.
2. The Log Query beta feature must be enabled.
3. The Kubernetes version must be earlier than 1.32.1.

Peled demonstrated how a carefully crafted curl command could inject malicious commands into the system using the vulnerable API endpoint:

curl "<Kubernetes API Proxy server IP>/api/v1/nodes/<NODE name>/proxy/logs/?query=nssm&pattern=’$(Start-process cmd)’"

This attack bypasses traditional payload validation by exploiting the lack of sanitization in specific parameters.

The implications of CVE-2024-9042 are severe:

• Full Node Takeover: Successful exploitation grants attackers SYSTEM-level privileges on all Windows nodes in the cluster.
• Cluster-Wide Risk: Once a node is compromised, attackers can potentially pivot to other parts of the cluster.
• Data Breaches: Sensitive data stored or processed on affected nodes could be exposed.

Although the vulnerability has a CVSS score of 5.9 (medium severity), its potential impact is significant due to the ease of exploitation and widespread use of Kubernetes in enterprise environments.

The vulnerability affects Kubernetes versions:

• v1.32.0
• v1.31.0 to v1.31.4
• v1.30.0 to v1.30.8
• <=v1.29.12

Clusters running these versions with Windows nodes and Log Query enabled are at risk.

Mitigation and Patching

To address this issue, Kubernetes released patches for affected versions:

• v1.32.1
• v1.31.5
• v1.30.9
• v1.29.13

Administrators are urged to upgrade their clusters immediately to these patched versions.

Additionally, organizations can implement the following mitigations:

• Disable Log Query: If not essential, disable the Log Query feature entirely.
• Restrict Access: Use Role-Based Access Control (RBAC) to limit access to sensitive APIs like /logs.
• Monitor Logs: Audit cluster logs for suspicious queries targeting /logs endpoints with unexpected inputs.

To detect potential exploitation, administrators should review audit logs for unusual requests made to the /logs endpoint with suspicious patterns or inputs.

While Kubernetes has patched CVE-2024-9042, organizations must act swiftly to protect their clusters by applying updates and implementing additional safeguards.

Peled emphasized that although no active exploitation has been observed yet, the simplicity of crafting an exploit makes it likely that attackers will target unpatched systems in the near future.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar