DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2023-26484", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2023-26484", "description": "KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs. This can be misused to lure-in system-level-privileged components which can, for instance, read all secrets on the cluster, or can exec into pods on other nodes. This way, a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster. The simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node. No patches are available as of time of publication. As a workaround, gatekeeper users can add a webhook which will block the `virt-handler` service account to modify the spec of a node.", "published": "2023-03-15T21:15:00", "modified": "2023-03-27T16:58:00", "epss": [{"cve": "CVE-2023-26484", "epss": 0.0005, "percentile": 0.16939, "modified": "2023-06-03"}], "cvss": {"score": 3.6, "vector": "AV:N/AC:H/Au:S/C:P/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 3.6}, "severity": "LOW", "exploitabilityScore": 3.9, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.8}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-26484", "reporter": "security-advisories@github.com", "references": ["https://github.com/kubevirt/kubevirt/issues/9109", "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-cp96-jpmq-xrr2"], "cvelist": ["CVE-2023-26484"], "immutableFields": [], "lastseen": "2023-06-03T17:50:19", "viewCount": 26, "enchantments": {"score": {"value": 7.6, "vector": "NONE"}, "affected_software": {"major_version": [{"name": "kubevirt", "version": 0}]}, "dependencies": {"references": [{"type": "github", "idList": ["GHSA-CP96-JPMQ-XRR2"]}, {"type": "nessus", "idList": ["SUSE_SU-2023-1967-1.NASL"]}, {"type": "osv", "idList": ["OSV:GHSA-CP96-JPMQ-XRR2"]}, {"type": "redhatcve", "idList": ["RH:CVE-2023-26484"]}, {"type": "veracode", "idList": ["VERACODE:39897"]}]}, "epss": [{"cve": "CVE-2023-26484", "epss": 0.0005, "percentile": 0.16909, "modified": "2023-05-02"}], "vulnersScore": 7.6}, "_state": {"score": 1685814696, "affected_software_major_version": 0, "dependencies": 0, "epss": 0}, "_internal": {"score_hash": "401d3b9125684a71d3d0ad16f156f697"}, "cna_cvss": {"cna": "GitHub, Inc.", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "score": 8.2}}}, "cpe": ["cpe:/a:kubevirt:kubevirt:0.59.0"], "cpe23": ["cpe:2.3:a:kubevirt:kubevirt:0.59.0:*:*:*:*:kubernetes:*:*"], "cwe": ["CWE-863"], "affectedSoftware": [{"cpeName": "kubevirt:kubevirt", "version": "0.59.0", "operator": "le", "name": "kubevirt"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:kubevirt:kubevirt:0.59.0:*:*:*:*:kubernetes:*:*", "versionEndIncluding": "0.59.0", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://github.com/kubevirt/kubevirt/issues/9109", "name": "https://github.com/kubevirt/kubevirt/issues/9109", "refsource": "MISC", "tags": ["Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-cp96-jpmq-xrr2", "name": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-cp96-jpmq-xrr2", "refsource": "MISC", "tags": ["Mitigation", "Vendor Advisory"]}], "product_info": [{"vendor": "kubevirt", "product": "kubevirt"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "exploits": []}

{"osv": [{"lastseen": "2023-03-27T22:57:28", "description": "### Impact\n\nIf a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs.\n\nThis can be misused to lure-in system-level-privileged components (which can for instance read all secrets on the cluster, or can exec into pods on other nodes). This way a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster.\n\nThe simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node.\n\nSince this requires a node to be compromised first, the severity of this finding is considered Medium.\n\n### Patches\n\nNot yet available.\n\n### Workarounds\nGatekeeper users can add a webhook which will block the `virt-handler` service account to modify the spec of a node.\n\nAn example policy, preventing virt-handler from changing the node spec may look like this:\n\n```yaml\napiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: virthandlerrestrictions\nspec:\n[...]\n targets:\n - libs:\n - | \n[...] \n is_virt_handler(username) {\n username == \"system:serviceaccount:kubevirt:virt-handler\"\n }\n mutates_node_in_unintended_way {\n # TODO\n # only allow kubevirt.io/ prefixed metadata node changes\n }\n rego: |\n[...]\n \n violation[{\"msg\": msg}] {\n is_virt_handler(username)\n mutates_node_in_unintended_way(input.review.object, input.review.oldObject)\n msg := sprintf(\"virt-handler tries to modify node <%v> in an unintended way.\", [input.review.object.name])\n }\n```\n\nand applying this template to node modifications.\n\n\n### Credits\n\nSpecial thanks to the discoverers of this issue:\n\nNanzi Yang (nzyang@stu.xidian.edu.cn)\nXin Guo (guox@stu.xidian.edu.cn)\nJietao Xiao (jietaoXiao@stu.xidian.edu.cn)\nWenbo Shen (shenwenbo@zju.edu.cn)\nJinku Li (jkli@xidian.edu.cn)\n\n### References\n\nhttps://github.com/kubevirt/kubevirt/issues/9109", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.8}, "published": "2023-03-16T16:04:42", "type": "osv", "title": "On a compromised node, the virt-handler service account can be used to modify all node specs", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2023-26484"], "modified": "2023-03-27T22:24:34", "id": "OSV:GHSA-CP96-JPMQ-XRR2", "href": "https://osv.dev/vulnerability/GHSA-cp96-jpmq-xrr2", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2023-05-17T16:47:22", "description": "The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:1967-1 advisory.\n\n - KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs. This can be misused to lure-in system-level-privileged components which can, for instance, read all secrets on the cluster, or can exec into pods on other nodes. This way, a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster. The simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node. No patches are available as of time of publication. As a workaround, gatekeeper users can add a webhook which will block the `virt-handler` service account to modify the spec of a node. (CVE-2023-26484)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-25T00:00:00", "type": "nessus", "title": "SUSE SLES15 / openSUSE 15 Security Update : kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container (SUSE-SU-2023:1967-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-26484"], "modified": "2023-04-25T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kubevirt-manifests", "p-cpe:/a:novell:suse_linux:kubevirt-virtctl", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2023-1967-1.NASL", "href": "https://www.tenable.com/plugins/nessus/174718", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2023:1967-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174718);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2023-26484\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2023:1967-1\");\n\n script_name(english:\"SUSE SLES15 / openSUSE 15 Security Update : kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container (SUSE-SU-2023:1967-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by a vulnerability as\nreferenced in the SUSE-SU-2023:1967-1 advisory.\n\n - KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a\n malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running,\n the virt-handler service account can be used to modify all node specs. This can be misused to lure-in\n system-level-privileged components which can, for instance, read all secrets on the cluster, or can exec\n into pods on other nodes. This way, a compromised node can be used to elevate privileges beyond the node\n until potentially having full privileged access to the whole cluster. The simplest way to exploit this,\n once a user could compromise a specific node, is to set with the virt-handler service account all other\n nodes to unschedulable and simply wait until system-critical components with high privileges appear on its\n node. No patches are available as of time of publication. As a workaround, gatekeeper users can add a\n webhook which will block the `virt-handler` service account to modify the spec of a node. (CVE-2023-26484)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1208916\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1209359\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.suse.com/pipermail/sle-updates/2023-April/028964.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2023-26484\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-26484\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/03/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kubevirt-manifests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kubevirt-virtctl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES|SUSE)\") audit(AUDIT_OS_NOT, \"SUSE / openSUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+|SUSE([\\d.]+))\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE / openSUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15|SUSE15\\.4)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15 / openSUSE 15', 'SUSE / openSUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE / openSUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(4)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES15 SP4\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'kubevirt-manifests-0.54.0-150400.3.13.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4', 'SLE_HPC-release-15.4', 'sle-module-containers-release-15.4', 'sles-release-15.4']},\n {'reference':'kubevirt-virtctl-0.54.0-150400.3.13.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4', 'SLE_HPC-release-15.4', 'sle-module-containers-release-15.4', 'sles-release-15.4']},\n {'reference':'kubevirt-container-disk-0.54.0-150400.3.13.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'kubevirt-manifests-0.54.0-150400.3.13.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'kubevirt-tests-0.54.0-150400.3.13.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'kubevirt-virt-api-0.54.0-150400.3.13.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'kubevirt-virt-controller-0.54.0-150400.3.13.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'kubevirt-virt-handler-0.54.0-150400.3.13.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'kubevirt-virt-launcher-0.54.0-150400.3.13.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'kubevirt-virt-operator-0.54.0-150400.3.13.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'kubevirt-virtctl-0.54.0-150400.3.13.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'obs-service-kubevirt_containers_meta-0.54.0-150400.3.13.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kubevirt-container-disk / kubevirt-manifests / kubevirt-tests / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "veracode": [{"lastseen": "2023-06-03T19:47:00", "description": "github.com/kubevirt/kubevirt is vulnerable to Privilege Escalation. A remote attacker is able to compromise a specific node and wait until system-critical components with high privileges appear on its node. A compromised node can be used to elevate privileges beyond the node, potentially having full privileged access to the whole cluster.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.8}, "published": "2023-03-22T02:34:07", "type": "veracode", "title": "Privilege Escalation", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.6, "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26484"], "modified": "2023-03-27T18:48:22", "id": "VERACODE:39897", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-39897/summary", "cvss": {"score": 3.6, "vector": "AV:N/AC:H/Au:S/C:P/I:P/A:N"}}], "redhatcve": [{"lastseen": "2023-06-03T20:13:38", "description": "A flaw was found in the Kubevirt package. KubeVirt could allow a remote authenticated attacker to bypass security restrictions caused by improper authorization validation. An attacker can modify all node specs by sending a specially-crafted request using the virt-handler service account.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.8}, "published": "2023-03-20T04:13:13", "type": "redhatcve", "title": "CVE-2023-26484", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.6, "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26484"], "modified": "2023-05-23T04:10:06", "id": "RH:CVE-2023-26484", "href": "https://access.redhat.com/security/cve/cve-2023-26484", "cvss": {"score": 3.6, "vector": "AV:N/AC:H/Au:S/C:P/I:P/A:N"}}], "github": [{"lastseen": "2023-06-03T20:12:26", "description": "### Impact\n\nIf a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs.\n\nThis can be misused to lure-in system-level-privileged components (which can for instance read all secrets on the cluster, or can exec into pods on other nodes). This way a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster.\n\nThe simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node.\n\nSince this requires a node to be compromised first, the severity of this finding is considered Medium.\n\n### Patches\n\nNot yet available.\n\n### Workarounds\nGatekeeper users can add a webhook which will block the `virt-handler` service account to modify the spec of a node.\n\nAn example policy, preventing virt-handler from changing the node spec may look like this:\n\n```yaml\napiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: virthandlerrestrictions\nspec:\n[...]\n targets:\n - libs:\n - | \n[...] \n is_virt_handler(username) {\n username == \"system:serviceaccount:kubevirt:virt-handler\"\n }\n mutates_node_in_unintended_way {\n # TODO\n # only allow kubevirt.io/ prefixed metadata node changes\n }\n rego: |\n[...]\n \n violation[{\"msg\": msg}] {\n is_virt_handler(username)\n mutates_node_in_unintended_way(input.review.object, input.review.oldObject)\n msg := sprintf(\"virt-handler tries to modify node <%v> in an unintended way.\", [input.review.object.name])\n }\n```\n\nand applying this template to node modifications.\n\n\n### Credits\n\nSpecial thanks to the discoverers of this issue:\n\nNanzi Yang (nzyang@stu.xidian.edu.cn)\nXin Guo (guox@stu.xidian.edu.cn)\nJietao Xiao (jietaoXiao@stu.xidian.edu.cn)\nWenbo Shen (shenwenbo@zju.edu.cn)\nJinku Li (jkli@xidian.edu.cn)\n\n### References\n\nhttps://github.com/kubevirt/kubevirt/issues/9109", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.8}, "published": "2023-03-16T16:04:42", "type": "github", "title": "On a compromised node, the virt-handler service account can be used to modify all node specs", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.6, "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-26484"], "modified": "2023-03-27T22:24:36", "id": "GHSA-CP96-JPMQ-XRR2", "href": "https://github.com/advisories/GHSA-cp96-jpmq-xrr2", "cvss": {"score": 3.6, "vector": "AV:N/AC:H/Au:S/C:P/I:P/A:N"}}]}