Bug 2179728 (CVE-2023-26484)

Summary: CVE-2023-26484 kubevirt: Incorrect Authorization
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dkenigsb, fdeutsch, oramraz, phoracek, sgott, smullick
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Kubevirt package. KubeVirt could allow a remote authenticated attacker to bypass security restrictions caused by improper authorization validation. An attacker can modify all node specs by sending a specially-crafted request using the virt-handler service account.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2179735, 2179736, 2179737, 2179738, 2179739, 2179740, 2179741, 2179742, 2179743, 2179744    
Bug Blocks: 2179323    

Description Avinash Hanwate 2023-03-20 04:04:41 UTC 
KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs. This can be misused to lure-in system-level-privileged components which can, for instance, read all secrets on the cluster, or can exec into pods on other nodes. This way, a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster. The simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node. No patches are available as of time of publication. As a workaround, gatekeeper users can add a webhook which will block the `virt-handler` service account to modify the spec of a node.

https://github.com/kubevirt/kubevirt/issues/9109
https://github.com/kubevirt/kubevirt/security/advisories/GHSA-cp96-jpmq-xrr2
Comment 2 Fabian Deutsch 2023-04-12 08:49:10 UTC 
Maybe https://github.com/kubevirt/kubevirt/pull/9162 has a fix for the issue.