On a compromised KubeVirt node, the virt-handler service account can be used to modify all node specs
CVE-2023-26484

8.2HIGH

Key Information:

Vendor: Kubevirt
Status: Kubevirt
Vendor: CVE Published:; 15 March 2023

What is CVE-2023-26484?

KubeVirt, a virtual machine management add-on for Kubernetes, has a vulnerability in versions up to 0.59.0. If an attacker compromises a Kubernetes node running the virt-handler daemon, they can exploit the virt-handler service account to modify node specifications. This enables the attacker to manipulate system-level components, potentially gaining access to sensitive cluster information, including secrets. The attacker can alter node configurations, preventing scheduling on critical nodes, thereby luring privileged components to the compromised node. Currently, no patches have been released, but a temporary workaround involves using a webhook to restrict the virt-handler service account's ability to modify node specs.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

kubevirt <= 0.59.0

References

https://github.com/kubevirt/kubevirt/security/advisories/...

x_refsource_CONFIRM

https://github.com/kubevirt/kubevirt/issues/9109

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 15, 2023
Vulnerability Reserved
Feb 23, 2023

JSON

Kubevirt

What is CVE-2023-26484?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.