The Kubernetes Container Storage Interface (CSI) Driver for NFS has a critical vulnerability that could let attackers delete or modify directories on NFS servers without authorization. This flaw, identified as a path traversal vulnerability, poses a significant risk to clusters where users are permitted to create PersistentVolumes referencing the NFS CSI driver.
Understanding the Vulnerability
The core of the issue lies in the inadequate validation of the subDir parameter within volume identifiers. Attackers with the ability to create PersistentVolumes using the nfs.csi.k8s.io driver can exploit this by crafting volume identifiers containing path traversal sequences. As a result, the CSI Driver might execute operations on directories beyond the intended scope during volume deletion or cleanup tasks.
An example includes volumeHandle entries that path traverse beyond their designated directory using sequences like /tmp/mount-uuid/legitimate/../../../exports/subdir, leading to potential unauthorized modifications or deletions on the NFS server.
Conditions for Exploitation
Organizations are vulnerable when several conditions are met: they run the NFS CSI Driver, their Kubernetes cluster allows non-administrative users to create PersistentVolumes referencing this driver, and they have not yet upgraded to a version that addresses this vulnerability. Specifically, all versions before v4.13.1 are susceptible.
Administrators should inspect PersistentVolumes for unusual path traversal sequences and review CSI controller logs for unexpected directory operations to determine exposure. Any signs of exploitation should be reported promptly to the Kubernetes security team.
Mitigation and Remediation
To mitigate this risk, the primary recommendation is to upgrade the CSI Driver for NFS to version v4.13.1 or above, which resolves this validation issue. Until the upgrade is feasible, it is advised to restrict PersistentVolume creation to trusted users and audit current NFS exports to ensure drivers can only access intended directories.
Shaul Ben Hai, a security researcher at SentinelOne, responsibly disclosed this vulnerability, and the fix was implemented by the CSI Driver maintainers in collaboration with the Kubernetes Security Response Committee. This incident underscores the importance of securing Kubernetes clusters against unauthorized access and maintaining up-to-date software.
Stay informed on the latest cybersecurity developments by following us on Google News, LinkedIn, and X. For story features, contact our editorial team.
