KubeVirt Privilege Escalation Vulnerability in virt-handler Component

A privilege escalation vulnerability has been identified in the virt-handler component of KubeVirt. This issue allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper validation of symlinks when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This exploitation enables access to any Unix socket on the host, potentially leading to full control of the node and the entire cluster.

Impact

Exploitation of this vulnerability could result in unauthorized access to Unix sockets on the host, allowing an attacker to execute commands or access files in a way that could compromise the entire node and cluster.

Reproduction

To reproduce this vulnerability, an authenticated OpenShift user with edit permissions in a single namespace can exec into a virt-launcher pod. Once inside the pod, the user can replace the console socket with a symlink pointing to the host's CRI-O socket. This action hijacks virt-handler's privileged connection, granting access to Unix sockets on the host.

Remediation

It is recommended to update cluster RBAC to prevent exec access into virt-launcher pods.