ghsa-cp96-jpmq-xrr2
Vulnerability from github
Impact
If a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs.
This can be misused to lure-in system-level-privileged components (which can for instance read all secrets on the cluster, or can exec into pods on other nodes). This way a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster.
The simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node.
Since this requires a node to be compromised first, the severity of this finding is considered Medium.
Patches
Not yet available.
Workarounds
Gatekeeper users can add a webhook which will block the virt-handler service account to modify the spec of a node.
An example policy, preventing virt-handler from changing the node spec may look like this:
```yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: virthandlerrestrictions
spec:
[...]
targets:
- libs:
- |
[...]
is_virt_handler(username) {
username == "system:serviceaccount:kubevirt:virt-handler"
}
mutates_node_in_unintended_way {
# TODO
# only allow kubevirt.io/ prefixed metadata node changes
}
rego: |
[...]
violation[{"msg": msg}] {
is_virt_handler(username)
mutates_node_in_unintended_way(input.review.object, input.review.oldObject)
msg := sprintf("virt-handler tries to modify node <%v> in an unintended way.", [input.review.object.name])
}
```
and applying this template to node modifications.
Credits
Special thanks to the discoverers of this issue:
Nanzi Yang (nzyang@stu.xidian.edu.cn) Xin Guo (guox@stu.xidian.edu.cn) Jietao Xiao (jietaoXiao@stu.xidian.edu.cn) Wenbo Shen (shenwenbo@zju.edu.cn) Jinku Li (jkli@xidian.edu.cn)
References
https://github.com/kubevirt/kubevirt/issues/9109
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "kubevirt.io/kubevirt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.59.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26484"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-16T16:04:42Z",
"nvd_published_at": "2023-03-15T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nIf a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs.\n\nThis can be misused to lure-in system-level-privileged components (which can for instance read all secrets on the cluster, or can exec into pods on other nodes). This way a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster.\n\nThe simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node.\n\nSince this requires a node to be compromised first, the severity of this finding is considered Medium.\n\n### Patches\n\nNot yet available.\n\n### Workarounds\nGatekeeper users can add a webhook which will block the `virt-handler` service account to modify the spec of a node.\n\nAn example policy, preventing virt-handler from changing the node spec may look like this:\n\n```yaml\napiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: virthandlerrestrictions\nspec:\n[...]\n targets:\n - libs:\n - | \n[...] \n is_virt_handler(username) {\n username == \"system:serviceaccount:kubevirt:virt-handler\"\n }\n mutates_node_in_unintended_way {\n # TODO\n # only allow kubevirt.io/ prefixed metadata node changes\n }\n rego: |\n[...]\n \n violation[{\"msg\": msg}] {\n is_virt_handler(username)\n mutates_node_in_unintended_way(input.review.object, input.review.oldObject)\n msg := sprintf(\"virt-handler tries to modify node \u003c%v\u003e in an unintended way.\", [input.review.object.name])\n }\n```\n\nand applying this template to node modifications.\n\n\n### Credits\n\nSpecial thanks to the discoverers of this issue:\n\nNanzi Yang (nzyang@stu.xidian.edu.cn)\nXin Guo (guox@stu.xidian.edu.cn)\nJietao Xiao (jietaoXiao@stu.xidian.edu.cn)\nWenbo Shen (shenwenbo@zju.edu.cn)\nJinku Li (jkli@xidian.edu.cn)\n\n### References\n\nhttps://github.com/kubevirt/kubevirt/issues/9109",
"id": "GHSA-cp96-jpmq-xrr2",
"modified": "2023-03-27T22:24:34Z",
"published": "2023-03-16T16:04:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-cp96-jpmq-xrr2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26484"
},
{
"type": "WEB",
"url": "https://github.com/kubevirt/kubevirt/issues/9109"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubevirt/kubevirt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "On a compromised node, the virt-handler service account can be used to modify all node specs"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.