KubeVirt virt-controller Pod Impersonation Vulnerability Leading to VMI Denial-of-Service

A logic flaw has been identified in KubeVirt's virt-controller, prior to version 1.7.0-beta.0. This vulnerability allows an attacker to disrupt the management of a running Virtual Machine Instance (VMI) by creating a pod that mimics the labels of the legitimate virt-launcher pod associated with that VMI. The virt-controller can be misled into linking the fraudulent pod with the VMI, causing incorrect status updates and potentially leading to a denial-of-service condition. The issue arises because the controller's logic can be manipulated to replace the authentic virt-launcher pod with an attacker-controlled one, disrupting the VMI's lifecycle management and control mechanisms.

Impact

Exploitation of this vulnerability allows an attacker to disrupt or take control of a VMI's lifecycle operations, potentially causing the VMI to be marked as failed while its associated QEMU process continues to run. This exploitation bypasses Kubernetes node-level security constraints, such as nodeSelectors or nodeAffinity, which are used to manage workload placement.

Reproduction

To reproduce this vulnerability, first deploy a VMI and obtain its UID. Then, create a pod in the same namespace with labels that mimic those of a legitimate virt-launcher pod, including the VMI's UID. Once the pod is created, trigger a VMI reconciliation loop, which will cause the virt-controller to mistakenly associate the fake pod with the VMI, disrupting its management.

Remediation

Users should update to KubeVirt version 1.7.0-beta.0 or later, where this vulnerability has been fixed.