2 min Security

Kubernetes vulnerability threatens Windows endpoints

Kubernetes vulnerability threatens Windows endpoints

A new vulnerability enables remote code execution (RCE) with system privileges on all Windows endpoints in a Kubernetes cluster.

Akamai researcher Tomer Peled discovered this. The critical vulnerability in Kubernetes’ Log Query function, designated CVE-2024-9042, can be easily exploited. A simple GET request to the remote node is sufficient to initiate the attack. A GET request uses an HTTP request to retrieve data from a server, and this method is widely used within the HTTP protocol.

Normally, the Log Query function retrieves information from remote machines to determine their status. When an attacker successfully makes the request, all Windows nodes within the Kubernetes cluster can be taken over.

The Akamai researcher tried several methods for command injection, after which the problem was not so much in the payload (as usual). The researcher had to specify a service that logs status to Event Tracing for Windows (ETW) and not to the regular klog framework. This is because a vulnerable check is present when logging to ETW.

Urgent patching required

The new vulnerability affects standard installations of Kubernetes using beta features in versions older than 1.32.1. Both on-premises deployments and the Azure Kubernetes Service are vulnerable. As a result, many organizations are at risk.

Given the severity of the vulnerability, organizations must patch their Kubernetes environments quickly. This is especially true for clusters with Windows nodes, as the vulnerability affects explicitly these systems.

Tip: Oracle supports serverless Kubernetes