Wiz
Vulnerability DatabaseCVE-2023-3893

CVE-2023-3893
NixOS vulnerability analysis and mitigation

Overview

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes running kubernetes-csi-proxy may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes running kubernetes-csi-proxy. The vulnerability was discovered in July 2023 and publicly disclosed in August 2023. The affected versions include kubernetes-csi-proxy <= v2.0.0-alpha.0 and kubernetes-csi-proxy <= v1.1.2 (Kubernetes Issue, Security Announce).

Technical details

The vulnerability has been assigned CVE-2023-3893 and received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from insufficient input sanitization in the kubernetes-csi-proxy component, specifically affecting Windows nodes. Full mitigation requires patches applied for multiple CVEs including CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893 (NVD, Kubernetes Issue).

Impact

Successful exploitation of this vulnerability could allow an attacker who can create pods on Windows nodes to escalate to admin privileges on those nodes. This could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory).

Mitigation and workarounds

The vulnerability has been fixed in kubernetes-csi-proxy v2.0.0-alpha.1 and v1.1.3. To upgrade, administrators need to: cordon the node, stop the associated Windows service, replace the csi-proxy.exe binary, restart the associated Windows service, and un-cordon the node. For environments using Windows host process daemon sets, upgrading the image to a fixed version such as ghcr.io/kubernetes-sigs/sig-windows/csi-proxy:v1.1.3 is sufficient. Outside of applying the provided patch, there are no known mitigations (Kubernetes Issue).

Community reactions

The vulnerability was discovered by James Sturtevant and Mark Rossetti during the process of fixing CVE-2023-3676. The fix was coordinated by a team including members from the Kubernetes security response committee and involved multiple security researchers and release managers (Security Announce).

Additional resources

SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues

Cloud threat landscape

Cloud threat landscape

A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques

PEACH

PEACH

A step-by-step framework for modeling and improving SaaS and PaaS tenant isolation

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo