KubeVirt Authentication Bypass Vulnerability in Aggregated API Server

An authentication bypass vulnerability has been identified in KubeVirt versions 1.5.3 and prior, as well as in version 1.6.0. The issue arises in the 'virt-api' component, which improperly authenticates clients over mutual TLS (mTLS) by failing to validate the Common Name (CN) field in client TLS certificates against allowed values in the 'extension-apiserver-authentication' configmap. This flaw can enable an attacker to bypass Role-Based Access Control (RBAC) and directly interact with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. The vulnerability exploitation requires a valid front-end proxy certificate signed by a trusted CA and network access to the 'virt-api' service.

Impact

Exploitation allows bypassing of RBAC controls, enabling unauthorized access to the 'virt-api' aggregated API server. This could lead to unauthorized manipulation of virtual machine workloads, disrupting their operation.

Reproduction

To reproduce this vulnerability, an attacker must obtain a valid front-end proxy certificate signed by the same CA trusted by the Kubernetes API server. This can be done by compromising a front-end proxy or exploiting a poorly managed PKI system. Once the certificate is obtained, the attacker can use it to bypass authentication on the 'virt-api' server. After successfully authenticating, the attacker can send API requests to 'virt-api' endpoints that require authentication, effectively bypassing the intended access controls.

Remediation

Users can upgrade to KubeVirt versions 1.5.3 or 1.6.1, where this vulnerability has been fixed.