KubeVirt HostDisk Feature Logic Error Allows Arbitrary File Access on Host

A vulnerability in KubeVirt's hostDisk feature prior to versions 1.6.1 and 1.7.0 allows virtual machines to read and write arbitrary files owned by more privileged users on the host system. This issue arises when the DiskOrCreate option is used, creating a file without proper ownership validation. As a result, sensitive host files can be accessed and modified, potentially disrupting system operations.

Impact

Exploitation of this vulnerability allows virtual machines to manipulate sensitive host files, leading to unauthorized changes that could disrupt system operations. In a demonstrated proof of concept, the vulnerability was used to alter the contents of the host's passwd file, a critical system file, causing significant operational issues.

Reproduction

To reproduce this vulnerability, deploy KubeVirt with the hostDisk feature gate enabled. Create a VirtualMachine instance that mounts a file from the host using the DiskOrCreate option. The VM will start successfully, and the mounted file can be accessed and modified from within the VM, demonstrating unauthorized file manipulation on the host.

Remediation

Users can upgrade to KubeVirt versions 1.6.1 or 1.7.0, where this vulnerability has been addressed.