Bug 2265398 (CVE-2024-1725) - CVE-2024-1725 kubevirt-csi: PersistentVolume allows access to HCP's root node
Summary: CVE-2024-1725 kubevirt-csi: PersistentVolume allows access to HCP's root node
Keywords:
Status: NEW
Alias: CVE-2024-1725
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2265400
TreeView+ depends on / blocked
 
Reported: 2024-02-21 20:36 UTC by Nick Tait
Modified: 2024-06-11 15:34 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (HCP). This issue could allow an authenticated attacker to gain access to the root HCP worker node's volume by creating a custom Persistent Volume that matches the name of a worker node.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:1559 0 None None None 2024-04-02 19:33:35 UTC
Red Hat Product Errata RHSA-2024:1891 0 None None None 2024-04-26 12:38:45 UTC
Red Hat Product Errata RHSA-2024:2047 0 None None None 2024-05-02 16:37:35 UTC

Description Nick Tait 2024-02-21 20:36:59 UTC
A security issue has been discovered in the HCP OpenShift Virtualization provider
that allows unauthorized users to gain access to HCP worker node root
volumes.

The attack vector is a component called kubevirt-csi, which provides the
ability for an HCO OCP-Virt guest cluster to be configured in a way that
lets the guest cluster use the same underlying storage as the
infrastructure cluster the VMs are running in. Through the use of
kubevirt-csi and a well crafted PV within the HCP OCP-Virt guest cluster, a
user who has the ability to create PVs can gain access to any node's root
volume by crafting a PV volumeHandle that matches the name of a worker node
VM's root volume PVC. That name is trivial to predict because it is the
node's name followed by "-rhcos".

The result is the user can then get kubevirt-csi to attach any node's root
volume to a pod workload within the guest cluster as a PVC.

Comment 6 errata-xmlrpc 2024-04-02 19:33:34 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1559 https://access.redhat.com/errata/RHSA-2024:1559

Comment 7 errata-xmlrpc 2024-04-26 12:38:44 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1891 https://access.redhat.com/errata/RHSA-2024:1891

Comment 8 errata-xmlrpc 2024-05-02 16:37:34 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2047 https://access.redhat.com/errata/RHSA-2024:2047

Comment 9 Martin Prpič 2024-06-11 15:34:52 UTC
Upstream, this was addressed via commit:

https://github.com/kubevirt/csi-driver/pull/103/commits/a61f36c42700f54352919318ed806d1ae2d716f4


Note You need to log in before you can comment on or make changes to this bug.