Описание
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In Kata Containers versions from 3.20.0 and before, a malicious host can circumvent initdata verification. On TDX systems running confidential guests, a malicious host can selectively fail IO operations to skip initdata verification. This allows an attacker to launch arbitrary workloads while being able to attest successfully to Trustee impersonating any benign workload. This issue has been patched in Kata Containers version 3.21.0.
A vulnerability has been identified in Kata Containers that allows a malicious host to bypass a critical security check designed to validate workloads. On systems using TDX technology for confidential computing, an attacker with control of the host system can intentionally disrupt operations to skip this verification process. This flaw allows the attacker to run unauthorized code inside a secure, isolated virtual environment while making the malicious software appear as a trusted application.
Отчет
This vulnerability has been rated as having a Moderate severity by Red Hat Product Security team. This happens because of the limited impact in the availability and confidentiality caused by the exploitation of this flaw, additionally to be able to exploit this vulnerability the attacker needs to have host permission level. In this flaw and attacker may force IO operations to fail, kata will apply the designated policies to the workload either way and the malicious workload will be successfully attested and will start impersonating an benign workload. The exploitation of this vulnerability is possible only when the workload is using rootfs to host the guest binaries, if the binaries are present on a initrd it's not possible to the attacker to intercept the IO operations and cause it to fail.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 4 | kata-containers | Affected | ||
| Red Hat OpenShift Container Platform 4 | rhcos | Will not fix |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.1 High
CVSS3
Связанные уязвимости
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In Kata Containers versions from 3.20.0 and before, a malicious host can circumvent initdata verification. On TDX systems running confidential guests, a malicious host can selectively fail IO operations to skip initdata verification. This allows an attacker to launch arbitrary workloads while being able to attest successfully to Trustee impersonating any benign workload. This issue has been patched in Kata Containers version 3.21.0.
Kata Containers coco-tdx malicious host can circumvent initdata verification
EPSS
7.1 High
CVSS3