Bug 2317916 (CVE-2024-9779)

Summary:	CVE-2024-9779 open-cluster-management-io/ocm: cluster-manager permissions may allow a worker node to obtain service account tokens
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	alcohan, gparvin, lbainbri, njean, owatkins, pahickey, rhaigner
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-10-10 20:36:13 UTC

The Deployment named "cluster-manager" uses a ServiceAccount with the same name ("cluster-manager"). This ServiceAccount is bound to a ClusterRole also named "cluster-manager," which includes the permission to create Pod resources.

Therefore, if this Deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any sa's token by creating and mounting target sa and even control the whole cluster.