KubeVirt Excessive Permissions Vulnerability Allowing Unauthorized VMI Migrations

A vulnerability in KubeVirt versions through 1.5.0 allows for unauthorized migrations of Virtual Machine Instances (VMIs) to attacker-controlled nodes. This issue arises from excessive permissions granted to the 'virt-handler' service account, which can be exploited to manipulate VMI states and node labels. An attacker could force VMIs to migrate to compromised nodes, potentially leading to the unauthorized execution of privileged pods on those nodes.

Impact

Exploitation of this vulnerability could disrupt normal VMI scheduling and management, allowing an attacker to control where VMIs are deployed and to introduce privileged pods onto compromised nodes.

Reproduction

To reproduce this vulnerability, first create a VMI and ensure it is running on a specific node. Then, compromise a 'virt-handler' pod on a different node and use its permissions to update the VMI's node label, forcing it to terminate and be rescheduled on the compromised node. This can be done by patching the VMI object through the Kubernetes API, impersonating the 'virt-handler' service account.

Remediation

KubeVirt users should ensure that the 'virt-handler' service account permissions are properly restricted and consider implementing the 'NodeRestriction' feature gate to limit the scope of actions that can be performed on VMI resources.