CVE-2023-29332

FAQ

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain Cluster Administrator privileges.

How do I protect my resources against this vulnerability?

Customers must update or upgrade their Azure Kuberenetes Service resource deployments using the following guidance:

• Upgrade your AKS node image to receive the fix without altering your Kubernetes version.
• Upgrade your AKS cluster to a newer version which will also bring your node image to the latest version.

What additional actions can customers take to help ensure their resources are secure?

We highly encourage customers to enable automatic node image upgrades for their Azure Kubernetes Resources to get the latest security releases in the future.

General Availability Customers:

• Automatically upgrade an Azure Kubernetes Service (AKS) cluster - Azure Kubernetes Service | Microsoft Learn
• CLI command: az aks update --resource-group [myResourceGroup] --name [myAKSCluster] --auto-upgrade-channel node-image

Or

Preview Customers:

• Automatically upgrade Azure Kubernetes Service (AKS) cluster node operating system images - Azure Kubernetes Service | Microsoft Learn:
• CLI command: az aks update --resource-group [myResourceGroup] --name [myAKSCluster] --node-os-upgrade-channel NodeImage

According to the CVSS metric, attack complexity is high (AC:H) but integrity is none (I:N) and availability is none (A:N). What does that mean for this vulnerability?

The Confidentiality is set to High because an attacker who successfully exploits this vulnerability could access tokens beyond a user’s typical privilege.

The exploit results in token disclosure, however it does not affect the Integrity and Availability of the system. Thus, both of these are set as None.

According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability?

The attack vector is set to Network because this vulnerability is remotely exploitable and can be exploited from the internet.

The attack complexity is set to Low because an attacker does not require significant prior knowledge of the cluster/system and can achieve repeatable success when attempting to exploit this vulnerability.

How do I determine if my resources are susceptible to this vulnerability?

Azure Kubernetes Service resources using the following image versions are protected against this vulnerability.

• AKS resources with Ubuntu OS - Image 202308.01 or above

• AKS resources with Windows OS - Image 20348.1906 or above

To determine if any of your resources are susceptible to this CVE, navigate to your cluster's overview page in the Azure Portal, and select Diagnose and Solve Problems. Navigate to Identity and Security and select TLS Bootstrap Token CVE to identify the susceptible agent pools in your AKS cluster.

Note: Agent pools created or upgraded in the last 48 hours are protected; however, this might not immediately reflect in Diagnose and Solve Problems. Please allow up to 48 hours for the results to be updated.