Executive Summary

This vulnerability is a path traversal flaw in KubeVirt's virt-exportserver component, specifically in the VMExport directory endpoint. An attacker who has namespace-level access and control over files in an exported filesystem Persistent Volume Claim (PVC) can create a symbolic link (symlink) that points outside the PVC's designated mount root. Because the server follows symlinks, this allows the attacker to read arbitrary files from the exporter pod's filesystem, potentially exposing sensitive information.

The vulnerability affects filesystem PVCs that do not have the cdi.kubevirt.io/storage.contentType annotation set to a KubeVirt content type. PVCs with this annotation use safer export endpoints that do not follow symlinks. Exploitation requires the ability to create or control a filesystem PVC, create a VirtualMachineExport resource for that PVC, and possess or obtain the VMExport token.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to information disclosure by allowing an attacker to read arbitrary files from the exporter pod's filesystem. If exploited, sensitive data stored on the pod could be exposed to unauthorized users.

Since the attacker needs namespace-level access and the ability to control or create filesystem PVCs, environments with mixed workloads (pods and VMs) and insufficient access controls are more susceptible.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking for the presence of symbolic links within exported filesystem Persistent Volume Claims (PVCs) that point outside their designated mount root. Since exploitation requires namespace-level access to create or control a filesystem PVC and create a VirtualMachineExport resource, monitoring for such resource creations and symlink manipulations is key.

You can inspect PVC contents for symlinks pointing outside the mount root by executing commands inside the exporter pod or the node hosting the PVC. For example, to find symlinks in a PVC directory:

• find /path/to/pvc/mount -type l -exec ls -l {} \;

Additionally, monitoring Kubernetes audit logs for creation of VirtualMachineExport resources and PVCs with filesystem content types lacking the cdi.kubevirt.io/storage.contentType annotation can help detect potential exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability leads to information disclosure by allowing an attacker to read arbitrary files from the exporter pod's filesystem. Such unauthorized access to sensitive data can impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls on the confidentiality and integrity of personal and sensitive information.

Specifically, the exposure of sensitive data due to this path traversal flaw could result in violations of these regulations' requirements for protecting personal data against unauthorized access and disclosure.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting namespace-level access to prevent unauthorized creation or control of filesystem PVCs and VirtualMachineExport resources.

Ensure that filesystem PVCs have the cdi.kubevirt.io/storage.contentType annotation set to a KubeVirt content type, as PVCs with this annotation use safer raw/gzip export endpoints that are not vulnerable.

Review and limit permissions to create or modify symlinks within exported PVCs to prevent attackers from placing symlinks that point outside the mount root.

Apply any available patches or updates to KubeVirt's virt-exportserver component as provided by your vendor or upstream project.

Useful 0 Not Useful 0