Kubernetes CSI Driver for NFS Vulnerability Lets Attackers Delete or Modify NFS Server Directories

Kubernetes CSI Driver NFS Security Hole The Kubernetes Container Storage Interface (CSI) Driver for NFS has a path traversal vulnerability that could let attackers delete or change directories on NFS servers that they shouldn't be able to. The problem comes from not checking the subDir parameter in volume identifiers well enough. This makes clusters that let users create PersistentVolumes that point to the NFS CSI driver vulnerable.

The weakness is in the way the CSI Driver for NFS handles the subDir parameter when working with volumes. Attackers who have permission to make PersistentVolumes that use the nfs.csi.k8s.io driver can make volume IDs that include path traversal sequences (../). When the driver deletes or cleans up a volume, it might work on directories that are far away from the intended managed path in the NFS export.

For instance, malicious volumeHandle entries that point to paths like /tmp/mount-uuid/legitimate/../../../exports/subdir could make the CSI controller go outside of the directory scope it was supposed to be in. This could lead to unintended changes or deletions on the NFS server. Kubernetes CSI Driver for NFS Security Hole If a business meets all of the following conditions, it could be at risk: In their Kubernetes cluster, they run the CSI Driver for NFS (nfs.csi.k8s.io).

Their cluster lets users who are not administrators make PersistentVolumes that point to the NFS CSI driver. The version of their deployed CSI driver does not check traversal sequences in the subField for Dir This security hole affects all versions of the CSI Driver for NFS before v4.13.1, which is when the traversal validation fix was added.

Using the NFS CSI driver, administrators can check to see if their cluster is exposed by looking at PersistentVolumes and reviewing the volume.Handle field for sequences that go through, like ../. Find out more about penetration testing services Safety on the internet Courses for cybersecurity certifications You should also check the CSI controller logs for any unexpected directory operations. Log entries that look like "Removing subPath: /tmp/mount-uuid/legitimate/../../../exports/subdir" are a strong sign of exploitation.

If you see clusters that are being actively exploited, you should report them right away to security@kubernetes.io. The main fix is to update the CSI Driver for NFS to version v4.13.1 or later, which includes proper validation of traversal sequences in the subDir field. As a temporary fix, administrators should only let trusted users create PersistentVolumes and check NFS exports to make sure that only the right directories can be written to by the driver.

As a general rule for security, untrusted users should never be allowed to make arbitrary PersistentVolumes that point to external storage drivers. Shaul Ben Hai, a Senior Staff Security Researcher at SentinelOne, responsibly told people about the vulnerability. The CSI Driver for NFS maintainers Andy Zhang and Rita Zhang worked with the Kubernetes Security Response Committee to make and put into use the fix.

Follow us on LinkedIn and X for daily cybersecurity updates. Get in touch with us to have your stories featured.