Kubernetes CSI Driver Vulnerability - Attackers Can Delete Data
Basically, a flaw in Kubernetes lets hackers mess with server files.
A vulnerability in the Kubernetes CSI Driver for NFS could allow attackers to delete or modify server directories. Organizations using affected versions are at risk. Immediate action is needed to upgrade and secure systems.
The Flaw
A serious path traversal vulnerability has been discovered in the Kubernetes Container Storage Interface (CSI) Driver for NFS. This flaw allows attackers to delete or modify unintended directories on NFS servers. The issue arises from the driver’s failure to properly validate the subDir parameter in volume identifiers. As a result, attackers can exploit this vulnerability if they have permission to create PersistentVolumes referencing the NFS CSI driver.
When attackers craft volume identifiers containing path traversal sequences (like ../), the CSI Driver for NFS may inadvertently perform operations outside of the intended directory. For instance, a malicious entry could direct the driver to delete or alter files in unauthorized locations, leading to significant data loss or corruption.
Who's Being Targeted
Organizations that meet specific criteria are at risk. If they run the CSI Driver for NFS (nfs.csi.k8s.io) in their Kubernetes cluster, allow non-administrator users to create PersistentVolumes, and are using a version prior to v4.13.1, they are particularly vulnerable. All versions before v4.13.1 are affected because the necessary validation fix was only introduced in that release.
Administrators should be aware that the vulnerability can lead to unauthorized access and manipulation of server directories, which could have dire consequences for data integrity and security. It’s crucial for organizations to assess their exposure to this flaw.
Patch Status
The primary remediation for this vulnerability is to upgrade the CSI Driver for NFS to version v4.13.1 or later. This version includes the necessary validation checks for traversal sequences. Administrators are encouraged to inspect their PersistentVolumes and check the volumeHandle field for suspicious traversal sequences.
Additionally, reviewing CSI controller logs for unexpected directory operations can help identify potential exploitation attempts. Log entries that show operations like "Removing subPath: /tmp/mount-uuid/legitimate/../../../exports/subdir" are strong indicators of exploitation.
Immediate Actions
To mitigate risks, organizations should restrict PersistentVolume creation privileges to trusted users only. It’s also advisable to audit NFS exports to ensure that only intended directories are writable by the driver. As a best practice, untrusted users should never be allowed to create arbitrary PersistentVolumes referencing external storage drivers.
This vulnerability was responsibly disclosed by Shaul Ben Hai, a Senior Staff Security Researcher at SentinelOne, and the fix was developed in collaboration with the Kubernetes Security Response Committee. Organizations should act swiftly to secure their environments and prevent exploitation.