CVE-2024-3744: azure-file-csi-driver discloses service account tokens in logs

[miwithro]

Hello Kubernetes Community,

A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access cloud resources.  Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

This issue has been rated MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (6.5), and assigned CVE-2024-3744

Am I vulnerable?

You may be vulnerable if TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag and you are using workload identity federation.

To check if token requests are configured, run the following command:

kubectl get csidriver file.csi.azure.com -o jsonpath="{.spec.tokenRequests}"

To check if tokens are being logged, examine the secrets-store container log:

kubectl logs csi-azurefile-controller-56bfddd689-dh5tk -c azurefile -f | grep --line-buffered "csi.storage.k8s.io/serviceAccount.tokens"

Affected Versions

• azure-file-csi-driver <= v1.29.3

• azure-file-csi-driver v1.30.0

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by running azure-file-csi-driver at log level 0 or 1 via the -v flag.

AKS Fixed Versions

Upgrade your cluster to v1.28.5 and above to get -azure-file-csi-driver v1.29.4 or greater.

[andyzhangx]

this issue is already fixed in aks rp 0411 release, I think we could close it now.
btw, it only affect azure file csi driver on aks 1.29 before 0411 release.