KubeVirt Improper TLS Certificate Management in virt-handler Allows API Identity Spoofing

A vulnerability exists in KubeVirt versions prior to 1.5.3 and 1.6.1, where improper handling of TLS certificates in the virt-handler component allows a compromised instance to impersonate virt-api. This exploitation can lead to unauthorized access to virtual machine lifecycle operations on other virt-handler instances, potentially disrupting the integrity and availability of managed virtual machines. The issue arises because the client certificates used by virt-api and virt-handler share the same Common Name (CN), enabling an attacker to misuse the credentials of a compromised virt-handler instance.

Impact

Exploitation of this vulnerability allows a compromised virt-handler instance to impersonate virt-api, facilitating unauthorized access to VM lifecycle operations on other virt-handler nodes. This could disrupt the management and availability of virtual machines running on those nodes.

Reproduction

The vulnerability can be reproduced by deploying a KubeVirt environment with two nodes, each running a virt-handler instance. Once a VM is active on one node, the client certificate from the virt-handler on the compromised node can be used to interact with the virt-handler on the other node, exploiting the shared credentials to perform privileged operations on the VM.

Remediation

Users can upgrade to KubeVirt versions 1.5.3 or 1.6.1, where this vulnerability has been addressed.