Get in Touch
Indiscriminate, opportunistic targeting.
A high-severity Kubernetes vulnerability, tracked as CVE-2023-3676 (CVSSv3 score: 8.8), has been discovered which results in all Windows endpoints on an unpatched cluster open to remote code execution (RCE) with system privileges. Exploitation requires threat actors to merely inject a malicious YAML (YAML Ain’t Markup Language) file into the cluster.
Furthermore, a proof-of-concept (PoC) code has been released with regards to the security flaw.
Successful exploitation of CVE-2023-3676 would allow threat actors to perform RCE on any Windows node on a target machine with system privileges, thus resulting in the compromise of the integrity of data.
Akamai has released a kubectl command that allows users to determine whether or not one of the nodes in a cluster is a Windows node.
All Kubernetes versions prior to 1.28.
Containment, Mitigations & Remediations
It is strongly recommended that the relevant security patch is applied as soon as possible to mitigate against potential exploitation of CVE-2023-3676.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
Kubernetes occupies a significant proportion of the cluster-management market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, cluster-based products could emerge as a prime target for threat actors. Due to the fact that Kubernetes clusters have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to exfiltrate the sensitive data contained therein.
No attribution to specific threat actors or groups has been identified at the time of writing.
TA0002 – Execution