Lucene search

GoogleOSV:GHSA-CP96-JPMQ-XRR2

HistoryMar 16, 2023 - 4:04 p.m.

On a compromised node, the virt-handler service account can be used to modify all node specs

2023-03-1616:04:42

Google

osv.dev

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

3.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:S/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

26.5%

JSON

Impact

If a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs.

This can be misused to lure-in system-level-privileged components (which can for instance read all secrets on the cluster, or can exec into pods on other nodes). This way a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster.

The simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node.

Since this requires a node to be compromised first, the severity of this finding is considered Medium.

Patches

Not yet available.

Workarounds

Gatekeeper users can add a webhook which will block the virt-handler service account to modify the spec of a node.

An example policy, preventing virt-handler from changing the node spec may look like this:

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: virthandlerrestrictions
spec:
[...]
  targets:
    - libs:
        - |         
[...]          
          is_virt_handler(username) {
              username == "system:serviceaccount:kubevirt:virt-handler"
          }
          mutates_node_in_unintended_way {
            # TODO
            # only allow kubevirt.io/ prefixed metadata node changes
          }
      rego: |
[...]
        
        violation[{"msg": msg}] {
          is_virt_handler(username)
          mutates_node_in_unintended_way(input.review.object, input.review.oldObject)
          msg := sprintf("virt-handler tries to modify node &lt;%v&gt; in an unintended way.", [input.review.object.name])
        }

and applying this template to node modifications.

Credits

Special thanks to the discoverers of this issue:

Nanzi Yang ([email protected])
Xin Guo ([email protected])
Jietao Xiao ([email protected])
Wenbo Shen ([email protected])
Jinku Li ([email protected])

References

https://github.com/kubevirt/kubevirt/issues/9109

CPENameOperatorVersion
kubevirt.io/kubevirtle0.59.0

CPE	Name	Operator	Version
	kubevirt.io/kubevirt	le	0.59.0

References

github.com/kubevirt/kubevirt

github.com/kubevirt/kubevirt/issues/9109

github.com/kubevirt/kubevirt/security/advisories/GHSA-cp96-jpmq-xrr2

nvd.nist.gov/vuln/detail/CVE-2023-26484

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

3.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:S/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

26.5%

JSON

Related for OSV:GHSA-CP96-JPMQ-XRR2