KubeVirt, Pod Association Logic Flaw, CVE-2024-xxxx (Critical)

By /

Listen to this Post

How the CVE Works

A logic flaw exists in the virt-controller‘s pod association mechanism. The `CurrentVMIPod` function retrieves the `virt-launcher` pod for a VirtualMachineInstance (VMI). It uses GetControllerOf, which first checks for an OwnerReference. If none exists, it falls back to inspecting the `kubevirt.io/created-by` label, which should contain the VMI’s UID. An attacker who knows a VMI’s UID can create a malicious pod in the same namespace with an identical `kubevirt.io/created-by` label. During VMI state reconciliation, `virt-controller` may associate this fake pod with the VMI instead of the legitimate `virt-launcher` pod because the fallback logic does not require an OwnerReference. By making the fake pod the “most recently created” one or manipulating pod annotations to mark it as an ephemeral provisioning pod, the attacker can trigger a race condition. This causes the controller to incorrectly update the VMI’s status to ‘Failed’, resulting in a Denial-of-Service (DoS) where the QEMU process runs but the VMI is unreachable via the Kubernetes API.

DailyCVE Form

Platform: KubeVirt
Version: Pre-1.2.0
Vulnerability: Pod Association Bypass
Severity: Critical
Date: 2024-10-24

Prediction: Patch expected 2024-11-14

What Undercode Say:

`kubectl get vmi -o jsonpath='{.metadata.uid}’`

`kubectl get vmi -o jsonpath='{.status.activePods}’`

`kubectl get pods -o jsonpath='{.spec.containers[bash]}’ | jq .`

`kubectl patch vmi -p ‘{“metadata”:{“annotations”:{“trigger”:”value”}}}’ –type=merge`

How Exploit:

1. Attacker obtains VMI UID.

2. Creates pod with `kubevirt.io/created-by: ` label.

3. Triggers VMI reconciliation loop.

4. `virt-controller` associates fake pod.

5. Attacker adds `kubevirt.io/ephemeral-provisioning: “true”` annotation.

6. Race condition marks VMI as ‘Failed’.

7. VMI becomes unmanageable, causing DoS.

Protection from this CVE

Apply vendor patch.

Enforce Pod Security Standards.

Restrict pod creation permissions.

Use network policies for isolation.

Monitor for suspicious pods.

Impact:

Virtual Machine Denial-of-Service

Control Plane Compromise

Bypassed Node Affinity Rules

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top