Listen to this Post
How the mentioned CVE works:
This vulnerability exploits improper symlink handling when mounting PersistentVolumeClaims (PVCs) into a KubeVirt virtual machine. An attacker with control over a PVC’s contents can create a symbolic link named `disk.img` pointing to any file on the `virt-launcher` pod’s host filesystem. During the VM startup process, the KubeVirt stack, due to a secondary flaw, changes the ownership of the symlink’s target file to the unprivileged QEMU user (UID 107) before passing it to libvirt. Libvirt, which can treat regular files as block devices, then makes this file available to the guest VM as a raw disk. This allows the attacker to mount and read any targeted file from within the VM, breaching the isolation between the guest and the host pod.
DailyCVE Form:
Platform: KubeVirt
Version: (pre-patch)
Vulnerability: Arbitrary File Read
Severity: Critical
date: 2023-05-19
Prediction: Patch 2023-06-15
What Undercode Say:
`ln -s ../../../../../../../../etc/passwd disk.img`
`lsblk`
`cat /dev/vdc`
`kubectl apply -f vm.yaml`
`virtctl console vm-name`
How Exploit:
Create malicious PVC symlinks.
Deploy VM referencing PVC.
Access host files from guest.
Protection from this CVE:
Update KubeVirt immediately.
Restrict PVC content control.
Implement Pod Security Standards.
Impact:
Confidentiality breach.
Pod host file disclosure.
Isolation boundary failure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
