New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A potential risk of kubevirt makes a worker node get the cluster's admin secret. #9109
Comments
|
Besides, I have written an email following the private security policy of the kubevirt vulnerability report. However, I tried my school email and it's not inside the mailing white list :(. I am sorry to write a "security issue" by opening a public-accessible GitHub issue. |
That is a nice abuse flow. Thanks for writing it up! |
Sent it in your name to the list. |
|
@rmohr Thanks for your reply! My school e-mail is nzyang@stu.xidian.edu.cn :) So can you add my e-mail to the white list? After that, should I discuss this potential risk by private email and close this opening issue? |
|
@rmohr I have tried to send the email by using nzyang@stu.xidian.edu.cn and my GitHub account's primary email 952508578@qq.com. However, they both told me that my email is bouncing back :( How can I connect to you by sending an email? |
@aburdenthehand is this something which you can do? |
|
@rmohr I'm looking into it. |
|
@rmohr @aburdenthehand Thanks for your reply! I am a little busy these days because revising my paper:) |
|
@younaman Sort of. We are still investigating the problem. |
|
@aburdenthehand Thaks a lot! I checked my nzyang@stu.xidian.edu.cn just now, and I have received three emails you sent:) I will reply your mail after I finished my paper, thank you again for your patience:) Have a nice day! |
|
@rmohr @aburdenthehand I can send mail to your post box, however, the cncf mailing list (cncf-kubevirt-security@lists.cncf.io) still rejects my mail, my post box says:"Warm tips: Please contact the recipient's administrator to adjust the anti-spam rule ,or ask the recipient to add your email address to the whitelist." Anyway, it seems like you(aburden@redhat.com) and robert.kielty(robert.kielty@cncf.io) have received my mail, can you answer the questions which I wrote in my mail? Looking forward to your reply! |
|
@rmohr @aburdenthehand I write my questions in the following, and looks for more comments: |
|
@rmohr @aburdenthehand Knock knock! Are there any updates about my "possible CVE number"? Besides, the PR looks like following my first recommendations to mitigate the risks? Looking forward to your reply! |
Yes that is because of your initiative. Just note that virt-operator only has a Still, the core issue remains and is not addressed yet: virt-handler can modify pod specs. It is a serious issue but luckily not critical, since a node needs at least to get compromised first.
It is definitely a problem that daemonsets which can modify pod specs can "lure-in" specific deployments with extended privileges if a node gets hacked. We are discussing mitigations and fixes at the moment.
I am currently checking regarding a CVE. |
|
@rmohr Thanks for your reply! Perhaps it's because I ignore the Role and regard it as a ClusterRole. Anyway, it does not downgrade the key point of my report. Besides, for the critical problem, notice the node escape may be easier via other co-host third-party apps:). For example, I have found and reported another issue to the cilium community, "The potential node escape issue" has been confirmed but the fix has not been discussed and opened yet:( By the way, thank you again for the CVE number, it's an honor and appreciate for your patience and works:) |
|
@rmohr As I still rejected by the mailing list, can you or @aburdenthehand CC to me a mail when there are any updates about my issue:) Both of you have my email address. |
|
@younaman I've just sent you an invite to join the mailing list, check your email inbox. |
|
@RobertKielty Thanks a lot! I have joined the mailing list, and you should have received my email about "Are there any updates about mitigations?" Have a nice day:) |
|
@rmohr For the cilium node escalation I mentioned in comment, it has been confirmed and fixed by cilium in cilium version 1.13, so I can report it to you now:) The cilium DaemonSet pod mounts the host's /proc/sys directory with read&write, so if a malicious user can access the cilium pod, he/she can:
|
|
@rmohr Knock knock! Are there any updates? Looking forward to your reply:) |
|
So, sorry for the delay. Took me a little bit to check things, since I am myself not that familiar with filing CVEs. I think the best way would be if you just file the CVE yourself, like described here: https://infosecwriteups.com/how-to-register-and-publish-a-cve-for-your-awesome-vulnerability-e68a6a5f748f. You can then hand us over the CVE number which you get (I would file a low-to-med severity CVE). We would then publish a security note on our project referencing your CVE together with mitigations, which will serve as the public reference for your CVE to make it public as well. I think that would be the best way to have you as an owner of this. |
|
@rmohr Thanks for your reply:) However, I think it's better for you to register a CVE number because you stand for the kubevirt community. If I register the CVE myself, I am afraid that the cveform.mitre.org will NOT give me a CVE number because of some other reasons. (I believe you know what I mean.) |
|
@rmohr I believe you can register the CVE, and I will do my best to assist you if needed:) More specifically, I have not registered a CVE before. I am very worried about the cveform.miter.org will not give me the CVE number because of some "misbehavior" of mine. |
|
@rmohr I have tried to request a CVE number following the https://infosecwriteups.com/how-to-register-and-publish-a-cve-for-your-awesome-vulnerability-e68a6a5f748f, and I fill the CVE web page following the pdf file which I sent to your email(rmohr@google.com). Please feel free to contact me if you want some changes:) And please let me know you you received the mail. By the way, my CVE ID request is "CVE Request 1411295", I don't know if you need this information, so I just write it. |
|
@rmohr I tried to send you and kubevirt maintainers another mail based on your valuable comments, however, it seems that I am banned by your mail, and my e-mail has been rejected. Your e-mail says "(Proxy)Host google.com said 450 Broken pipe(CONNECT). Bounce by SDN Rule 14 (tag:8)", and the kubevirt maintainer list's e-mail says "SMTP through SDN 4, SMTP: (Proxy)Host lists.cncf.io said 500 Invalid request, no reverse DNS for 121.9.212.76 (tag:-1)" Have I do something wrong? Looking forward to your reply! |
|
Hey. Does #9162 fix this issue completely? |
|
On Wed, Apr 12, 2023 at 10:48 AM Fabian Deutsch ***@***.***> wrote:
Hey.
Does #9162 <#9162> fix this
issue completely?
No. As stated in the security advisory, there is no fix at the moment
(except custom fine-tuned gatekeeper policies):
https://github.com/kubevirt/kubevirt/security/advisories/GHSA-cp96-jpmq-xrr2
Happy if someone follows up with a complete fix, which would probably
involve creating a custom KubeVirt node object where we shadow the
kubernetes nodes. virt-handlers would only update these objects, and only
one central component (virt-controller), optimally running on control-plane
nodes, would then mirror annotations and labels to the node itself.
This is a relatively big undertaking and as far as I can tell, a lot of
daemon-set based solutions out there potentially have this issue. For
instance the nividia MIG controller (
https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/gpu-operator-mig.html#configuring-mig-profiles
).
… —
Reply to this email directly, view it on GitHub
<#9109 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABCTCXJKWJMYBATY2P2QQKTXAZT37ANCNFSM6AAAAAAUIINRAI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
/reopen |
|
@rmohr: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Description:
I'm looking forward to hearing back from you!
The text was updated successfully, but these errors were encountered: