Manage CSIDrivers (potential node compromise)
Elevation of Privilege
Critical
Overview
| Field | Value |
|---|---|
| ID | 1055 |
| Name | Manage CSIDrivers (potential node compromise) |
| Risk Category | Elevation of Privilege |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | storage.k8s.io |
| Resources | csidrivers |
| Risky Verb Combinations | [create] · [update] · [patch] · [delete] |
| Tags | NodeAccess PrivilegeEscalation StorageManipulation Tampering |
Description
Allows creating, updating, or deleting CSIDrivers. CSIDrivers define how container orchestrators interact with storage systems. A malicious CSIDriver could potentially compromise nodes by running privileged operations or exfiltrating data, leading to privilege escalation and node access.
Abuse Scenarios
- Create a new CSIDriver that could be used for malicious purposes.
kubectl create -f - <<EOF
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: malicious.csi.example.com
spec:
attachRequired: false
podInfoOnMount: false
volumeLifecycleModes:
- Persistent
EOF
# Example: kubectl create -f - <<EOF ... EOF
- Delete an existing CSIDriver, disrupting storage operations.
kubectl delete csidriver <csidriver-name>
# Example: kubectl delete csidriver ebs.csi.aws.com