KubeVirt virt-handler Symlink Handling Vulnerability Allows Arbitrary File Ownership Changes

A vulnerability exists in KubeVirt's virt-handler component, specifically in versions prior to 1.5.3 and 1.6.1. The issue arises because virt-handler does not properly verify whether the launcher-sock is a symlink or a regular file. This flaw can be exploited to change the ownership of arbitrary files on the host node to an unprivileged user with UID 107, which is the same user used by virt-launcher. As a result, this vulnerability can compromise the confidentiality, integrity, and availability of data on the host. To exploit this vulnerability, an attacker must have control over the file system of the virt-launcher pod.

Impact

Exploitation of this vulnerability allows for arbitrary file ownership changes on the host node, transferring ownership to the unprivileged user with UID 107. This could lead to unauthorized access or modification of sensitive files, such as those owned by the root user.

Reproduction

The vulnerability can be reproduced by creating a symbolic link that points to a file on the host system, such as '/etc/passwd'. This can be done by manipulating the 'launcher-sock' socket in the 'virt-launcher' pod to confuse the isolation detection, allowing the 'virt-handler' to change file ownership on the host.

Remediation

Users can upgrade to KubeVirt versions 1.5.3 or 1.6.1, where this vulnerability has been fixed.