CVE-2023-30512: 
vulnerability analysis and mitigation

CubeFS through version 3.2.1 contains a privilege escalation vulnerability in its Kubernetes integration. The vulnerability exists because the DaemonSet 'cfs-csi-node' uses a service account with cluster-level permissions through the 'cfs-csi-cluster-role', which allows listing all secrets, including administrative credentials (GitHub Issue). The vulnerability was discovered and reported by Nanzi Yang on April 9, 2023, and was assigned CVE-2023-30512 (NVD).

The vulnerability stems from the DaemonSet and Deployment both using the service account 'cfs-csi-service-account', which is bound to 'cfs-csi-cluster-role' via 'cfs-csi-cluster-role-binding'. This cluster role includes permissions to 'get' and 'list' all secrets in the Kubernetes cluster. The CVSS v3.1 base score for this vulnerability is 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

An attacker who gains control of a worker node can exploit this vulnerability to access all secrets in the Kubernetes cluster, including administrative credentials, effectively achieving cluster-level privilege escalation. This allows an attacker to escalate from node-level access to cluster-wide administrative privileges (GitHub Issue).

Several mitigation strategies have been proposed: 1) Restrict the secrets that can be accessed by the DaemonSet using specific secret names, 2) Use RoleBinding instead of ClusterRoleBinding to limit access to the CubeFS namespace only, 3) Implement more complex service account naming conventions, and 4) Remove the 'get/list' permissions for secrets from the DaemonSet's service account (GitHub Issue).