Bug 2265398 (CVE-2024-1725)

Summary: CVE-2024-1725 kubevirt-csi: PersistentVolume allows access to HCP's root node
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dfreiber, drow, jburrell, security-response-team, sidakwo, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (HCP). This issue could allow an authenticated attacker to gain access to the root HCP worker node's volume by creating a custom Persistent Volume that matches the name of a worker node.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2265400    

Description Nick Tait 2024-02-21 20:36:59 UTC 
A security issue has been discovered in the HCP OpenShift Virtualization provider
that allows unauthorized users to gain access to HCP worker node root
volumes.

The attack vector is a component called kubevirt-csi, which provides the
ability for an HCO OCP-Virt guest cluster to be configured in a way that
lets the guest cluster use the same underlying storage as the
infrastructure cluster the VMs are running in. Through the use of
kubevirt-csi and a well crafted PV within the HCP OCP-Virt guest cluster, a
user who has the ability to create PVs can gain access to any node's root
volume by crafting a PV volumeHandle that matches the name of a worker node
VM's root volume PVC. That name is trivial to predict because it is the
node's name followed by "-rhcos".

The result is the user can then get kubevirt-csi to attach any node's root
volume to a pod workload within the guest cluster as a PVC.
Comment 6 errata-xmlrpc 2024-04-02 19:33:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1559 https://access.redhat.com/errata/RHSA-2024:1559
Comment 7 errata-xmlrpc 2024-04-26 12:38:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1891 https://access.redhat.com/errata/RHSA-2024:1891
Comment 8 errata-xmlrpc 2024-05-02 16:37:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2047 https://access.redhat.com/errata/RHSA-2024:2047
Comment 9 Martin Prpič 2024-06-11 15:34:52 UTC 
Upstream, this was addressed via commit:

https://github.com/kubevirt/csi-driver/pull/103/commits/a61f36c42700f54352919318ed806d1ae2d716f4