CVE-2024-10220
Arbitrary Command Execution vulnerability in kubernetes (Go)
What is CVE-2024-10220 About?
This arbitrary command execution vulnerability in Kubernetes kubelet allows attackers to execute commands on the host system. This can lead to complete system compromise and data exfiltration. Exploitation is likely straightforward given the nature of command execution vulnerabilities.
Affected Software
Technical Details
The vulnerability resides within the k8s.io/kubernetes component, specifically affecting the kubelet. An attacker can exploit a flaw that allows injecting arbitrary commands into the kubelet's execution context. This can occur through improperly sanitized input fields or misconfigurations, leading to the kubelet executing attacker-supplied commands with its privileges on the node.
What is the Impact of CVE-2024-10220?
Successful exploitation may allow attackers to gain full control over the compromised node, execute arbitrary code, bypass security restrictions, and potentially access sensitive data within the Kubernetes cluster.
What is the Exploitability of CVE-2024-10220?
Exploitation of this vulnerability is expected to be of medium complexity, potentially requiring specific access to the Kubernetes API or misconfigured pods. Authentication to the Kubernetes cluster is likely a prerequisite, and the attacker would typically need permissions to deploy or modify pods, or interact with kubelet APIs. This is a remote exploit, enabling an attacker to impact the system from outside the affected node. The presence of a proof of concept suggests that the attack vectors are well-understood.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| XiaomingX | Link | CVE-2024-10220 Test repo |
| mochizuki875 | Link | CVE-2024-10220 Test repo |
| any2sec | Link | PoC for CVE-2024-10220 |
What are the Available Fixes for CVE-2024-10220?
Available Upgrade Options
- k8s.io/kubernetes
- <1.28.12 → Upgrade to 1.28.12
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2024/11/20/1
- https://groups.google.com/g/kubernetes-security-announce/c/ptNgV5Necko
- https://github.com/kubernetes/kubernetes/commit/1ab06efe92d8e898ca1931471c9533ce94aba29b
- https://github.com/kubernetes/kubernetes/issues/128885
- https://osv.dev/vulnerability/GO-2024-3286
- https://github.com/advisories/GHSA-27wf-5967-98gx
- https://groups.google.com/g/kubernetes-security-announce/c/ptNgV5Necko
- https://github.com/kubernetes/kubernetes/issues/128885
- http://www.openwall.com/lists/oss-security/2024/11/20/1
What are Similar Vulnerabilities to CVE-2024-10220?
Similar Vulnerabilities: CVE-2020-8558 , CVE-2021-25741 , CVE-2021-25740 , CVE-2022-3162 , CVE-2023-2864
