CVE-2023-3893: Insufficient input sanitization on kubernetes-csi-proxy leads to privilege escalation

[miwithro]

kubernetes/kubernetes#119594

CVSS Rating: CVSS:3.1/av:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - HIGH (8.8)

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes running kubernetes-csi-proxy may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes running kubernetes-csi-proxy.

Am I vulnerable?

Any kubernetes environment with Windows nodes that are running kubernetes-csi-proxy is impacted. This is a common default configuration on Windows nodes. Run kubectl get nodes -l kubernetes.io/os=windows to see if any Windows nodes are in use.

Affected Versions
kubernetes-csi-proxy <= v2.0.0-alpha.0
kubernetes-csi-proxy <= v1.1.2

AKS Information:

Update your node image to 2022-containerd, 2019-containerd, or 2022-containerd-gen2 to remediate this vulnerability.

[ritazh]

#3869 (comment)

After updating the AKS Windows image version to WS2019:17763.4737.230809 or WS2022: 20348.1906.230809, you can confirm that you have gotten the fixes by finding below package name in c:\AzureData\CustomDataSetupScript.log in AKS Windows nodes.

csi-proxy:

csi-proxy-v1.1.2-hotfix.20230807.tar.gz

[microsoft-github-policy-service]

Thanks for reaching out. I'm closing this issue as it was marked with "Fix released" and it hasn't had activity for 7 days.