A high-severity vulnerability has been discovered in the KubeVirt Containerized Data Importer (CDI) component, impacting multiple products from the vendor "flaw". Successful exploitation could allow an attacker to gain control over the underlying Kubernetes nodes, potentially leading to a full cluster compromise, data theft, and service disruption. Organizations utilizing KubeVirt are urged to apply security updates immediately to mitigate this significant risk.

The vulnerability exists within the data import functionality of the KubeVirt Containerized Data Importer (CDI). An attacker with permissions to create or modify DataVolume custom resources in a Kubernetes cluster can specify a maliciously crafted data source (e.g., a container image or URL). Due to insufficient input validation and sanitization of the source path, this can trigger a path traversal flaw, allowing the attacker to write arbitrary files to the underlying host filesystem of the Kubernetes node executing the import pod. This could be leveraged to overwrite critical system files, plant malware, or execute arbitrary code with the privileges of the CDI component, potentially leading to a full node and cluster compromise.

This vulnerability is rated as High severity with a CVSS score of 8.5. Exploitation poses a direct and severe threat to the confidentiality, integrity, and availability of the entire Kubernetes environment. A successful attack could result in the compromise of the Kubernetes cluster, unauthorized access to sensitive data stored in virtual machines and persistent volumes, deployment of ransomware, or complete disruption of critical services hosted on the platform. The business impact includes potential data breaches, significant operational downtime, financial loss, and reputational damage.

Immediate Action:

• Immediately identify all Kubernetes clusters running the affected KubeVirt CDI component.
• Apply the security updates and patches provided by the vendor across all affected systems as a top priority.
• After patching, monitor for any signs of post-exploitation activity and closely review access logs for any anomalous DataVolume creation or modification events that occurred prior to the patch.

Proactive Monitoring:

• Monitor Kubernetes API audit logs for unusual or suspicious DataVolume resource creation, particularly those referencing unfamiliar or external image registries and URLs.
• Implement network traffic monitoring to detect unexpected egress connections from CDI importer pods to unknown destinations.
• Utilize host-based intrusion detection systems (HIDS) on Kubernetes nodes to monitor for unexpected file modifications or process executions originating from container runtimes.

Compensating Controls:

• If immediate patching is not feasible, implement a Kubernetes admission controller (e.g., OPA Gatekeeper, Kyverno) to create policies that restrict the sources (spec.source) allowed in DataVolume manifests.
• Enforce stricter network policies to limit or block egress traffic from CDI-related pods to the internet or non-essential internal network segments.
• Enhance runtime security monitoring for containers to detect and alert on anomalous behavior within the CDI pods during data import operations.

Public Exploit Available: false

Given the high severity (CVSS 8.5) of this vulnerability, immediate action is required. We strongly recommend that all organizations using the affected products prioritize the deployment of vendor-supplied patches to their production and development environments. Although this CVE is not currently listed on the CISA KEV catalog, its potential impact on critical infrastructure is significant. While patching, organizations should implement the recommended compensating controls and proactive monitoring to reduce the attack surface and improve detection capabilities.