On a compromised KubeVirt node, the virt-handler service account can be used to modify all node specs
Description
KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs. This can be misused to lure-in system-level-privileged components which can, for instance, read all secrets on the cluster, or can exec into pods on other nodes. This way, a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster. The simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node. No patches are available as of time of publication. As a workaround, gatekeeper users can add a webhook which will block the virt-handler service account to modify the spec of a node.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kubevirt.io/kubevirtGo | <= 0.59.0 | — |
Affected products
10- ghsa-coords9 versionspkg:golang/kubevirt.io/kubevirtpkg:rpm/opensuse/kubevirt-1.8&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/kubevirt1.8&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/kubevirt&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/kubevirt&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/kubevirt&distro=openSUSE%20Tumbleweedpkg:rpm/suse/kubevirt&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/kubevirt&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/kubevirt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4
<= 0.59.0+ 8 more
- (no CPE)range: <= 0.59.0
- (no CPE)range: < 1.8.3-1.1
- (no CPE)range: < 1.8.3-1.1
- (no CPE)range: < 0.54.0-150400.3.13.1
- (no CPE)range: < 0.54.0-150400.3.13.1
- (no CPE)range: < 0.59.0-2.1
- (no CPE)range: < 0.54.0-150400.3.13.1
- (no CPE)range: < 0.54.0-150400.3.13.1
- (no CPE)range: < 0.54.0-150400.3.13.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-cp96-jpmq-xrr2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26484ghsaADVISORY
- github.com/kubevirt/kubevirt/issues/9109ghsax_refsource_MISCWEB
- github.com/kubevirt/kubevirt/security/advisories/GHSA-cp96-jpmq-xrr2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.