Описание
KubeVirt is a virtual machine management add-on for Kubernetes. The hostDisk feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the DiskOrCreate option (which creates a file if it doesn't exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.
A flaw was found in KubeVirt's hostDisk feature. A logic bug in the DiskOrCreate option, which creates a file if it doesn't exist when mounting host files or directories into a VM, allows an attacker with VM creation privileges to read and write arbitrary files owned by more privileged users on the host system beyond the intended UID 107 restriction.
Отчет
This vulnerability is MODERATE because successful exploitation would require authenticated cluster access with specific RBAC permissions to create VMs using the hostDisk feature -capabilities that are restricted to trusted users in properly configured environments and not available to standard unprivileged users. This issue arises from a logic flaw in KubeVirt's hostDisk feature implementation, specifically in the DiskOrCreate option that automatically creates files on the host if they don't already exist. The hostDisk feature is designed to allow mounting host files or directories owned by user UID 107 into a virtual machine, but the vulnerable code fails to properly validate and enforce ownership constraints during file creation. An attacker with permissions to create VMs and specify hostDisk configurations can exploit this bug to create or access files owned by more privileged users on the Kubernetes host node, effectively bypassing the intended UID 107 restriction. This enables reading sensitive files (such as credentials or configuration data) and writing to privileged locations, potentially leading to further privilege escalation or system compromise.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Virtualization 4 | kubevirt | Affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
6 Medium
CVSS3
Связанные уязвимости
KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn't exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.
KubeVirt Vulnerable to Arbitrary Host File Read and Write
Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container
6 Medium
CVSS3