A critical command injection vulnerability has been identified in the NeuVector container security platform. This flaw allows an attacker to execute arbitrary commands on affected systems by manipulating specific environment variables, potentially leading to a complete compromise of the containerized environment, data theft, and loss of service. Due to its critical severity and the potential for full system takeover, immediate patching is strongly recommended.

This vulnerability is a command injection flaw within the NeuVector enforcer component. The enforcer process constructs a system command using the values of the CLUSTER_RPC_PORT and CLUSTER_LAN_PORT environment variables. Because these variables are not properly sanitized before being passed to a popen command execution function, an attacker who can control these environment variables can inject malicious shell commands. Successful exploitation results in remote code execution with the privileges of the enforcer process, which could lead to container escape and compromise of the underlying host.

This vulnerability is rated as critical severity with a CVSS score of 9.9. Successful exploitation could grant an attacker complete control over the affected container security infrastructure. The potential consequences include unauthorized access to sensitive data, disruption of critical applications, lateral movement across the network, and the ability to disable or bypass security controls. This poses a significant risk to data confidentiality, integrity, and availability, potentially leading to severe financial and reputational damage.

Immediate Action: Update NeuVector to the latest version as recommended by the vendor to patch this vulnerability. After patching, it is crucial to monitor for any signs of post-compromise activity and thoroughly review system and access logs for any indicators of exploitation that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring on NeuVector enforcer components. Specifically, look for unusual or suspicious process executions originating from the enforcer, unexpected network traffic, and any logs indicating modifications to the CLUSTER_RPC_PORT and CLUSTER_LAN_PORT environment variables.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk. Restrict permissions to modify pod or container environment variables using Kubernetes admission controllers or other policy enforcement tools. Additionally, apply strict network egress filtering to limit the enforcer's ability to communicate with untrusted external endpoints, which could hinder an attacker's command-and-control activities.

Public Exploit Available: false

Given the critical CVSS score of 9.9, this vulnerability represents a severe and immediate threat to the security of your containerized environments. We strongly recommend that all organizations using NeuVector treat this as a top-priority patching event. Although this CVE is not currently listed on the CISA KEV catalog, its severity warrants immediate action. A full inventory of NeuVector deployments should be conducted to identify and remediate all vulnerable instances without delay.