high

AWS IAM Authenticator for Kubernetes AccessKeyID Validation Bypass

Published Mon, Jul 11th, 2022
Platforms

Summary

Amazon Elastic Kubernetes Service (EKS) uses IAM to provide authentication to the cluster through the AWS IAM Authenticator for Kubernetes (aws-iam-authenticator). aws-iam-authenticator can be installed on any Kubernetes cluster, and it is installed by default in any EKS cluster both on AWS cloud and on-premises (Amazon EKS Anywhere). A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges. The bug allowed an attacker to (1) craft a malicious token with any action value, (2) without signing the cluster ID, (3) that would manipulate the AccessKeyID value. Essentially, in clusters using aws-iam-authenticator, if an {{AccessKeyID}} was mapped to an IAM user with cluster admin privileges, any non-privileged user could have escalated their privileges to cluster admin.

Affected Services

EKS

Remediation

EKS instances have been auto-updated. For self-hosted installations, upgrading aws-iam-authenticator to v0.5.9 fixes this vulnerability. As a workaround, this vulnerability can be mitigated by not using the {{AccessKeyID}} template value to construct usernames.

Tracked CVEs

CVE-2022-2385

References

Disclosure Date
Wed, May 25th, 2022
Exploitablity Period
Oct 2017 - June 2022
Known ITW Exploitation
-
Detection Methods
None - this issue affected the logged identity, and is not discernible from valid requests.
Discovered by
Gafnit Amiga, Lightspin