Akamai uncovers critical Kubernetes flaw for Windows nodes

Akamai's security research team has discovered a critical flaw in Kubernetes, designated CVE-2024-9042, which enables remote code execution (RCE) with system privileges on Windows endpoints within a Kubernetes cluster.

The vulnerability is linked to the Log Query mechanism that allows users to request system status data from remote machines through Kubernetes clusters via a simple GET request to a remote node. Exploiting this flaw could potentially result in the complete takeover of all Windows nodes in a cluster.

Tomer Peled, a security researcher at Akamai, highlighted the extent of this vulnerability by explaining, "The vulnerability allows remote code execution (RCE) with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster. To exploit this vulnerability, the cluster must be configured to run the new logging mechanism 'Log Query.'"

The Akamai research outlines that default installations of Kubernetes, which have opted to use beta features earlier than version 1.32.1, are susceptible to this vulnerability. Both on-premise deployments and Azure Kubernetes Service environments have been evaluated where this flaw can be triggered.

Once the flaw is successfully exploited, it poses a significant security risk because of its potential to fully control all Windows nodes in a Kubernetes cluster.

The published blog details a proof-of-concept exploit command using the 'curl' tool and proposes several mitigation strategies to prevent successful exploitation. Key mitigations include using role-based access control (RBAC) to control access to the Log Query and system updates to the latest Kubernetes version to rectify the identified vulnerability.

The discovery of this vulnerability follows exploratory research on Kubernetes's logging framework by Akamai, which had previously identified command injection vulnerabilities through malicious YAML files in Kubernetes environments.

The Log Query feature enables users to request information on the status of services on remote machines. Akamai identified an absence of proper input validation in the service's parameters in the recent research, which impacts the security reliability of the framework when managing Windows nodes.

Through thorough research, Peled discovered, "The service names are validated using a predefined regex" which implies that input validation is limited to service names, omitting other potentially vulnerable parameters, such as the 'Pattern' parameter.

The issue was further complicated as the attempts to trigger PowerShell commands on remote systems required leveraging the logging output features tied to Event Tracing for Windows (ETW) rather than the standard logging framework provided by Kubernetes. A notable method discussed is through a Kubernetes environment using Calico, which can exploit the vulnerability via the Non-Sucking Service Manager (NSSM).

This vulnerability primarily affects Kubernetes environments that maintain Windows nodes. However, the Akamai team underscores the importance of maintaining updated patches even in systems predominantly using other configurations to prevent unknown threats.

Akamai's conclusion emphasises ongoing vigilance and response among security teams to recognise and respond rapidly to unusual activity, which could hint at exploitation attempts on this scale. The team's continued research and reporting aim to bolster the security posture of Kubernetes users against potential exploits of a similar nature.

Being aware of these security challenges and addressing them proactively remains a focus point for security administrators to mitigate risks associated with evolving threats in Kubernetes clusters, according to the Akamai Security Intelligence Group.