8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
3.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
26.5%
If a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs.
This can be misused to lure-in system-level-privileged components (which can for instance read all secrets on the cluster, or can exec into pods on other nodes). This way a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster.
The simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node.
Since this requires a node to be compromised first, the severity of this finding is considered Medium.
Not yet available.
Gatekeeper users can add a webhook which will block the virt-handler
service account to modify the spec of a node.
An example policy, preventing virt-handler from changing the node spec may look like this:
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: virthandlerrestrictions
spec:
[...]
targets:
- libs:
- |
[...]
is_virt_handler(username) {
username == "system:serviceaccount:kubevirt:virt-handler"
}
mutates_node_in_unintended_way {
# TODO
# only allow kubevirt.io/ prefixed metadata node changes
}
rego: |
[...]
violation[{"msg": msg}] {
is_virt_handler(username)
mutates_node_in_unintended_way(input.review.object, input.review.oldObject)
msg := sprintf("virt-handler tries to modify node <%v> in an unintended way.", [input.review.object.name])
}
and applying this template to node modifications.
Special thanks to the discoverers of this issue:
Nanzi Yang ([email protected])
Xin Guo ([email protected])
Jietao Xiao ([email protected])
Wenbo Shen ([email protected])
Jinku Li ([email protected])
CPE | Name | Operator | Version |
---|---|---|---|
kubevirt.io/kubevirt | le | 0.59.0 |
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
3.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
26.5%