GCP-2024-008

Google Cloud Platform Security Advisory

Published: 2024-02-12
Reference: CVE-2023-5528

GKE

DescriptionSeverity

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE Standard clusters running Windows Server nodes and using an in-tree storage plugin might be affected.

GKE Autopilot clusters and GKE node pools using GKE Sandbox are not affected because they do not support Windows Server nodes.

What should I do?

Determine if you have Windows Server nodes in use on your clusters:

kubectl get nodes -l kubernetes.io/os=windows

Check audit logs for evidence of exploitation. Kubernetes audit logs can be audited to determine if this vulnerability is being exploited. Persistent Volume create events with local path fields containing special characters are a strong indication of exploitation.

Update your GKE cluster and node pools to a patched version. The following versions of GKE have been updated to fix this vulnerability. Even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Windows Server node pools to one of the following GKE versions or later:

  • 1.24.17-gke.6100
  • 1.25.15-gke.2000
  • 1.26.10-gke.2000
  • 1.27.7-gke.2000
  • 1.28.3-gke.1600

You can apply patch versions from newer release channels if your cluster runs the same minor version in its own release channel. This feature lets you secure your nodes until the patch version becomes the default in your release channel. For details, see Run patch versions from a newer channel.

What vulnerabilities are addressed by this patch?

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

High

GKE on VMware

DescriptionSeverity

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE on VMware clusters running Windows Server nodes and using an in-tree storage plugin might be affected.

What should I do?

Determine if you have Windows Server nodes in use on your clusters:

kubectl get nodes -l kubernetes.io/os=windows

Check audit logs for evidence of exploitation. Kubernetes audit logs can be audited to determine if this vulnerability is being exploited. Persistent Volume create events with local path fields containing special characters are a strong indication of exploitation.

Update your GKE on VMware cluster and node pools to a patched version. The following versions of GKE on VMware have been updated to fix this vulnerability. Even if you have node auto-upgrade enabled, we recommend that you manually upgrade your cluster and Windows Server node pools to one of the following GKE on VMware versions or later:

  • 1.28.100-gke.131
  • 1.16.5-gke.28
  • 1.15.8-gke.41

What vulnerabilities are addressed by this patch?

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

High

GKE on AWS

DescriptionSeverity

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE on AWS clusters aren’t affected.

What should I do?

No action required

None

GKE on Azure

DescriptionSeverity

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE on Azure clusters aren’t affected.

What should I do?

No action required

None

GKE on Bare Metal

DescriptionSeverity

CVE-2023-5528 allows an attacker to create pods and persistent volumes on Windows nodes in a way that enables admin privilege escalation on those nodes.

GKE on Bare Metal clusters aren’t affected.

What should I do?

No action required

None

CLICK FOR MORE INFORMATION