CVE-2023-26484 : KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59

KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs. This can be misused to lure-in system-level-privileged components which can, for instance, read all secrets on the cluster, or can exec into pods on other nodes. This way, a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster. The simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node. No patches are available as of time of publication. As a workaround, gatekeeper users can add a webhook which will block the `virt-handler` service account to modify the spec of a node.

Published 2023-03-15 21:15:09

Updated 2023-03-27 16:58:07

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2023-26484

Kubevirt » Kubevirt » For Kubernetes
Versions up to, including, (<=) 0.59.0
cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-26484

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 28 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-26484

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
8.2	HIGH	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N	1.8	5.8	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: None
8.2	HIGH	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N	1.8	5.8	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2023-26484

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2023-26484

https://github.com/kubevirt/kubevirt/security/advisories/GHSA-cp96-jpmq-xrr2

On a compromised node, the virt-handler service account can be used to modify all node specs · Advisory · kubevirt/kubevirt · GitHub
Mitigation;Vendor Advisory
https://github.com/kubevirt/kubevirt/issues/9109

A potential risk of kubevirt makes a worker node get the cluster's admin secret. · Issue #9109 · kubevirt/kubevirt · GitHub
Issue Tracking;Third Party Advisory

Jump to

Vulnerability Details : CVE-2023-26484

Products affected by CVE-2023-26484

Exploit prediction scoring system (EPSS) score for CVE-2023-26484

CVSS scores for CVE-2023-26484

CWE ids for CVE-2023-26484

References for CVE-2023-26484