CVE-2023-3955: 
NixOS vulnerability analysis and mitigation

A security issue was discovered in Kubernetes (CVE-2023-3955) where users with pod creation privileges on Windows nodes could potentially escalate to admin privileges on those nodes. The vulnerability was discovered in August 2023 and affects Kubernetes clusters that include Windows nodes. The vulnerability has been rated HIGH with a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (Kubernetes Discussion, GitHub Issue).

The vulnerability stems from insufficient input sanitization on Windows nodes. It affects multiple versions of the kubelet component: versions <= v1.28.0, <= v1.27.4, <= v1.26.7, <= v1.25.12, and <= v1.24.16. The issue specifically relates to the handling of Windows PowerShell disk format options in in-tree volume plugins (GitHub Issue, Kubernetes Discussion).

When successfully exploited, this vulnerability allows users with pod creation capabilities to escalate their privileges to admin level on affected Windows nodes. This could lead to unauthorized access, potential data manipulation, and complete compromise of the affected nodes (NetApp Advisory, GitHub Issue).

The vulnerability has been patched in the following versions: kubelet v1.28.1, v1.27.5, v1.26.8, v1.25.13, and v1.24.17. Full mitigation requires patches for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893. The fix impacts Windows PowerShell disk format options in in-tree volume plugins, though there are no known use cases for this functionality. Outside of applying the patches, there are no known mitigations (GitHub Issue, Kubernetes Discussion).

The vulnerability was discovered by James Sturtevant and Mark Rossetti during the process of fixing CVE-2023-3676. The fix was coordinated by a team including members from the Kubernetes security response committee and release managers (GitHub Issue).