CP
cyberpings
VulnerabilitiesHIGH

Kubernetes CSI Driver Vulnerability - Attackers Can Delete Data

CSCyber Security News
KubernetesNFSCSI Driverpath traversalPersistentVolumes
🎯

Basically, a flaw in Kubernetes lets hackers mess with server files.

Quick Summary

A vulnerability in the Kubernetes CSI Driver for NFS could allow attackers to delete or modify server directories. Organizations using affected versions are at risk. Immediate action is needed to upgrade and secure systems.

The Flaw

A serious path traversal vulnerability has been discovered in the Kubernetes Container Storage Interface (CSI) Driver for NFS. This flaw allows attackers to delete or modify unintended directories on NFS servers. The issue arises from the driver’s failure to properly validate the subDir parameter in volume identifiers. As a result, attackers can exploit this vulnerability if they have permission to create PersistentVolumes referencing the NFS CSI driver.

When attackers craft volume identifiers containing path traversal sequences (like ../), the CSI Driver for NFS may inadvertently perform operations outside of the intended directory. For instance, a malicious entry could direct the driver to delete or alter files in unauthorized locations, leading to significant data loss or corruption.

Who's Being Targeted

Organizations that meet specific criteria are at risk. If they run the CSI Driver for NFS (nfs.csi.k8s.io) in their Kubernetes cluster, allow non-administrator users to create PersistentVolumes, and are using a version prior to v4.13.1, they are particularly vulnerable. All versions before v4.13.1 are affected because the necessary validation fix was only introduced in that release.

Administrators should be aware that the vulnerability can lead to unauthorized access and manipulation of server directories, which could have dire consequences for data integrity and security. It’s crucial for organizations to assess their exposure to this flaw.

Patch Status

The primary remediation for this vulnerability is to upgrade the CSI Driver for NFS to version v4.13.1 or later. This version includes the necessary validation checks for traversal sequences. Administrators are encouraged to inspect their PersistentVolumes and check the volumeHandle field for suspicious traversal sequences.

Additionally, reviewing CSI controller logs for unexpected directory operations can help identify potential exploitation attempts. Log entries that show operations like "Removing subPath: /tmp/mount-uuid/legitimate/../../../exports/subdir" are strong indicators of exploitation.

Immediate Actions

To mitigate risks, organizations should restrict PersistentVolume creation privileges to trusted users only. It’s also advisable to audit NFS exports to ensure that only intended directories are writable by the driver. As a best practice, untrusted users should never be allowed to create arbitrary PersistentVolumes referencing external storage drivers.

This vulnerability was responsibly disclosed by Shaul Ben Hai, a Senior Staff Security Researcher at SentinelOne, and the fix was developed in collaboration with the Kubernetes Security Response Committee. Organizations should act swiftly to secure their environments and prevent exploitation.

🔒 Pro insight: This vulnerability highlights the critical need for stringent validation in storage drivers to prevent path traversal attacks.

Original article from

Cyber Security News · Guru Baran

Read Full Article

Share

Related Pings

CRITICALVulnerabilities

Vulnerabilities in Schneider Electric SCADAPack - Urgent Alert

Schneider Electric has revealed a critical vulnerability in its SCADAPack RTUs. This flaw could allow unauthorized access, risking system integrity and safety. Immediate updates are essential for protection.

CISA Advisories·
HIGHVulnerabilities

Vulnerability in Schneider Electric EcoStruxure IT Software

Schneider Electric has revealed a serious vulnerability in its EcoStruxure IT Data Center Expert software. This flaw could allow hackers to access sensitive information. Users must act quickly to apply the necessary patches or mitigations to secure their systems.

CISA Advisories·
HIGHVulnerabilities

CODESYS Vulnerabilities - Critical Flaws in Festo Suite

Critical vulnerabilities have been discovered in CODESYS within Festo Automation Suite. Users must upgrade to the latest versions to avoid severe risks. Stay secure by applying updates promptly.

CISA Advisories·
HIGHVulnerabilities

Siemens SICAM SIAPP SDK - Multiple Vulnerabilities Found

Siemens has identified multiple vulnerabilities in its SICAM SIAPP SDK. Users are urged to update to version 2.1.7 to avoid potential disruptions. This is crucial for maintaining operational integrity in critical manufacturing sectors.

CISA Advisories·
HIGHVulnerabilities

AWS Bedrock AgentCore - Critical Sandbox Bypass Vulnerability

A serious flaw in AWS Bedrock's Sandbox mode allows attackers to create covert C2 channels and exfiltrate sensitive data. Users must transition to VPC mode for better security.

Cyber Security News·
HIGHVulnerabilities

Vulnerability - UK Companies House Exposed Millions of Firms

A critical vulnerability at Companies House exposed sensitive data of millions of firms. This flaw allowed unauthorized access to company records, raising significant data protection concerns. Companies are urged to verify their details and report any issues.

SecurityWeek·