Vulnerability Details CVE-2023-26484
KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs. This can be misused to lure-in system-level-privileged components which can, for instance, read all secrets on the cluster, or can exec into pods on other nodes. This way, a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster. The simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node. No patches are available as of time of publication. As a workaround, gatekeeper users can add a webhook which will block the `virt-handler` service account to modify the spec of a node.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 50.4%
CVSS Severity
CVSS v3 Score 8.2
References
Products affected by CVE-2023-26484
-
cpe:2.3:a:kubevirt:kubevirt:-
-
cpe:2.3:a:kubevirt:kubevirt:0.0.1
-
cpe:2.3:a:kubevirt:kubevirt:0.0.2
-
cpe:2.3:a:kubevirt:kubevirt:0.0.3
-
cpe:2.3:a:kubevirt:kubevirt:0.0.4
-
cpe:2.3:a:kubevirt:kubevirt:0.1.0
-
cpe:2.3:a:kubevirt:kubevirt:0.10.0
-
cpe:2.3:a:kubevirt:kubevirt:0.11.0
-
cpe:2.3:a:kubevirt:kubevirt:0.11.1
-
cpe:2.3:a:kubevirt:kubevirt:0.12.0
-
cpe:2.3:a:kubevirt:kubevirt:0.13.0
-
cpe:2.3:a:kubevirt:kubevirt:0.13.1
-
cpe:2.3:a:kubevirt:kubevirt:0.13.2
-
cpe:2.3:a:kubevirt:kubevirt:0.13.3
-
cpe:2.3:a:kubevirt:kubevirt:0.13.4
-
cpe:2.3:a:kubevirt:kubevirt:0.13.5
-
cpe:2.3:a:kubevirt:kubevirt:0.13.6
-
cpe:2.3:a:kubevirt:kubevirt:0.13.7
-
cpe:2.3:a:kubevirt:kubevirt:0.14.0
-
cpe:2.3:a:kubevirt:kubevirt:0.15.0
-
cpe:2.3:a:kubevirt:kubevirt:0.16.0
-
cpe:2.3:a:kubevirt:kubevirt:0.16.1
-
cpe:2.3:a:kubevirt:kubevirt:0.16.2
-
cpe:2.3:a:kubevirt:kubevirt:0.16.3
-
cpe:2.3:a:kubevirt:kubevirt:0.17.0
-
cpe:2.3:a:kubevirt:kubevirt:0.17.1
-
cpe:2.3:a:kubevirt:kubevirt:0.17.2
-
cpe:2.3:a:kubevirt:kubevirt:0.17.3
-
cpe:2.3:a:kubevirt:kubevirt:0.17.4
-
cpe:2.3:a:kubevirt:kubevirt:0.18.0
-
cpe:2.3:a:kubevirt:kubevirt:0.18.1
-
cpe:2.3:a:kubevirt:kubevirt:0.19.0
-
cpe:2.3:a:kubevirt:kubevirt:0.2.0
-
cpe:2.3:a:kubevirt:kubevirt:0.20.0
-
cpe:2.3:a:kubevirt:kubevirt:0.20.1
-
cpe:2.3:a:kubevirt:kubevirt:0.20.2
-
cpe:2.3:a:kubevirt:kubevirt:0.20.3
-
cpe:2.3:a:kubevirt:kubevirt:0.20.4
-
cpe:2.3:a:kubevirt:kubevirt:0.20.5
-
cpe:2.3:a:kubevirt:kubevirt:0.20.6
-
cpe:2.3:a:kubevirt:kubevirt:0.20.7
-
cpe:2.3:a:kubevirt:kubevirt:0.20.8
-
cpe:2.3:a:kubevirt:kubevirt:0.21.0
-
cpe:2.3:a:kubevirt:kubevirt:0.22.0
-
cpe:2.3:a:kubevirt:kubevirt:0.23.0
-
cpe:2.3:a:kubevirt:kubevirt:0.23.1
-
cpe:2.3:a:kubevirt:kubevirt:0.23.2
-
cpe:2.3:a:kubevirt:kubevirt:0.23.3
-
cpe:2.3:a:kubevirt:kubevirt:0.24.0
-
cpe:2.3:a:kubevirt:kubevirt:0.25.0
-
cpe:2.3:a:kubevirt:kubevirt:0.26.0
-
cpe:2.3:a:kubevirt:kubevirt:0.26.1
-
cpe:2.3:a:kubevirt:kubevirt:0.26.2
-
cpe:2.3:a:kubevirt:kubevirt:0.26.3
-
cpe:2.3:a:kubevirt:kubevirt:0.26.4
-
cpe:2.3:a:kubevirt:kubevirt:0.26.5
-
cpe:2.3:a:kubevirt:kubevirt:0.27.0
-
cpe:2.3:a:kubevirt:kubevirt:0.28.0
-
cpe:2.3:a:kubevirt:kubevirt:0.29.0
-
cpe:2.3:a:kubevirt:kubevirt:0.29.1
-
cpe:2.3:a:kubevirt:kubevirt:0.29.2
-
cpe:2.3:a:kubevirt:kubevirt:0.3.0
-
cpe:2.3:a:kubevirt:kubevirt:0.30.0
-
cpe:2.3:a:kubevirt:kubevirt:0.30.1
-
cpe:2.3:a:kubevirt:kubevirt:0.30.2
-
cpe:2.3:a:kubevirt:kubevirt:0.30.3
-
cpe:2.3:a:kubevirt:kubevirt:0.30.4
-
cpe:2.3:a:kubevirt:kubevirt:0.30.5
-
cpe:2.3:a:kubevirt:kubevirt:0.30.6
-
cpe:2.3:a:kubevirt:kubevirt:0.31.0
-
cpe:2.3:a:kubevirt:kubevirt:0.32.0
-
cpe:2.3:a:kubevirt:kubevirt:0.33.0
-
cpe:2.3:a:kubevirt:kubevirt:0.34.0
-
cpe:2.3:a:kubevirt:kubevirt:0.4.0
-
cpe:2.3:a:kubevirt:kubevirt:0.4.1
-
cpe:2.3:a:kubevirt:kubevirt:0.5.0
-
cpe:2.3:a:kubevirt:kubevirt:0.5.1
-
cpe:2.3:a:kubevirt:kubevirt:0.6.0
-
cpe:2.3:a:kubevirt:kubevirt:0.6.1
-
cpe:2.3:a:kubevirt:kubevirt:0.6.2
-
cpe:2.3:a:kubevirt:kubevirt:0.6.3
-
cpe:2.3:a:kubevirt:kubevirt:0.6.4
-
cpe:2.3:a:kubevirt:kubevirt:0.7.0
-
cpe:2.3:a:kubevirt:kubevirt:0.8.0
-
cpe:2.3:a:kubevirt:kubevirt:0.9.0
-
cpe:2.3:a:kubevirt:kubevirt:0.9.1
-
cpe:2.3:a:kubevirt:kubevirt:0.9.2
-
cpe:2.3:a:kubevirt:kubevirt:0.9.3
-
cpe:2.3:a:kubevirt:kubevirt:0.9.4
-
cpe:2.3:a:kubevirt:kubevirt:0.9.5
-
cpe:2.3:a:kubevirt:kubevirt:0.9.6