Kubernetes: Kubernetes CSI Driver for NFS Vulnerability Lets Attackers Delete or Modify NFS Server Directories

Kubernetes NFS CSI Driver Vulnerability Exposes Clusters to Path Traversal Attacks

A critical path traversal vulnerability has been discovered in the Kubernetes Container Storage Interface (CSI) Driver for NFS, potentially allowing attackers to delete or modify unintended directories on connected NFS servers. The flaw (tracked under CVE-2024-3177) arises from insufficient validation of the subDir parameter in volume identifiers, enabling malicious actors to exploit clusters where users can create PersistentVolumes referencing the NFS CSI driver.

How the Vulnerability Works

The issue lies in how the CSI driver processes the subDir parameter during volume operations. Attackers with permissions to create PersistentVolumes using the nfs.csi.k8s.io driver can craft volume identifiers containing path traversal sequences (e.g., ../). When the driver executes deletion or cleanup operations, it may traverse outside the intended directory scope, leading to unauthorized modifications or deletions on the NFS server.

For example, a maliciously crafted volumeHandle like /tmp/mount-uuid/legitimate/../../../exports/subdir could force the CSI controller to operate on unintended directories.

Affected Systems & Risk Conditions

Organizations are at risk if they meet all of the following criteria:

• Running the NFS CSI Driver (nfs.csi.k8s.io) in their Kubernetes cluster.
• Allowing non-administrator users to create PersistentVolumes referencing the NFS CSI driver.
• Using a vulnerable version of the driver (all versions prior to v4.13.1).

Detection & Exploitation Indicators

Administrators can check for exposure by:

• Inspecting PersistentVolumes using the NFS CSI driver for traversal sequences (e.g., ../) in the volumeHandle field.
• Reviewing CSI controller logs for suspicious directory operations, such as:

  Removing subPath: /tmp/mount-uuid/legitimate/../../../exports/subdir
  

Clusters showing signs of exploitation should be reported to security@kubernetes.io.

Remediation & Mitigation

The primary fix is upgrading the NFS CSI Driver to v4.13.1 or later, which includes proper validation of traversal sequences. Interim measures include:

• Restricting PersistentVolume creation privileges to trusted users.
• Auditing NFS exports to ensure only intended directories are writable by the driver.

Disclosure & Credits

The vulnerability was responsibly disclosed by Shaul Ben Hai, Senior Staff Security Researcher at SentinelOne. The fix was developed by Andy Zhang and Rita Zhang of the CSI Driver for NFS maintainers, in coordination with the Kubernetes Security Response Committee.

Source: https://cybersecuritynews.com/kubernetes-csi-driver-nfs-vulnerability/

Kubernetes cybersecurity rating report: https://www.rankiteo.com/company/kubernetes

"id": "KUB1773764746",
"linkid": "kubernetes",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'type': 'Organizations using Kubernetes with NFS CSI '
                                'Driver'}],
 'attack_vector': 'Path traversal sequences in PersistentVolume volumeHandle',
 'description': 'A critical path traversal vulnerability (CVE-2024-3177) has '
                'been discovered in the Kubernetes Container Storage Interface '
                '(CSI) Driver for NFS, potentially allowing attackers to '
                'delete or modify unintended directories on connected NFS '
                'servers. The flaw arises from insufficient validation of the '
                '`subDir` parameter in volume identifiers, enabling malicious '
                'actors to exploit clusters where users can create '
                'PersistentVolumes referencing the NFS CSI driver.',
 'impact': {'operational_impact': 'Unauthorized deletion or modification of '
                                  'directories on NFS servers',
            'systems_affected': 'NFS servers connected to vulnerable '
                                'Kubernetes clusters'},
 'post_incident_analysis': {'corrective_actions': 'Proper validation of '
                                                  'traversal sequences in the '
                                                  'NFS CSI Driver',
                            'root_causes': 'Insufficient validation of the '
                                           '`subDir` parameter in volume '
                                           'identifiers'},
 'recommendations': ['Upgrade the NFS CSI Driver to v4.13.1 or later',
                     'Restrict PersistentVolume creation privileges to trusted '
                     'users',
                     'Audit NFS exports to ensure only intended directories '
                     'are writable by the driver'],
 'references': [{'source': 'SentinelOne'},
                {'source': 'Kubernetes Security Response Committee'}],
 'response': {'containment_measures': 'Restrict PersistentVolume creation '
                                      'privileges to trusted users',
              'enhanced_monitoring': 'Review CSI controller logs for '
                                     'suspicious directory operations',
              'remediation_measures': 'Upgrade NFS CSI Driver to v4.13.1 or '
                                      'later'},
 'title': 'Kubernetes NFS CSI Driver Vulnerability Exposes Clusters to Path '
          'Traversal Attacks',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'CVE-2024-3177'}