Kata Containers Cloud Hypervisor Privilege Escalation Vulnerability Allowing Arbitrary Code Execution in Guest VMs

A vulnerability in Kata Containers versions prior to 3.27.0, when used with Cloud Hypervisor, allows container users to modify the file system of the Guest micro VM. This manipulation can lead to arbitrary code execution as root within the VM. The issue arises because the 'virtio-pmem' storage driver, used to manage the VM's root file system, does not properly enforce read-only access. As a result, unauthorized changes can be made to the file system, which may be exploited to execute malicious code. While this vulnerability does not affect the security of the Host or other containers/VMs on the Host, it poses a significant risk within the affected Guest VM.

Impact

Exploitation of this vulnerability allows for unauthorized modification of the Guest VM's file system, leading to arbitrary code execution as root within the VM. This could be used to replace critical system binaries or libraries with malicious versions, which would be executed in the context of the root user.

Reproduction

To reproduce this vulnerability, create a Kata Containers VM using Cloud Hypervisor with a 'virtio-pmem' block device driver. Once the VM is running, a container can be launched with the necessary permissions to access the '/dev/pmem0' device. The container can then write data to this device, which will be reflected in the Guest VM's file system. After modifying the file system, the changes can be used to execute arbitrary code in the VM, such as by replacing a system binary with a malicious payload that connects back to an external server.

Remediation

Users can upgrade to Kata Containers version 3.27.0 or later, where this vulnerability has been patched.