Summary
Amazon Elastic Kubernetes Service (EKS) uses IAM to provide authentication to the cluster through the AWS IAM Authenticator for Kubernetes (aws-iam-authenticator).
aws-iam-authenticator can be installed on any Kubernetes cluster, and it is installed by default in any EKS cluster both on AWS cloud and on-premises (Amazon EKS Anywhere).
A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges.
The bug allowed an attacker to (1) craft a malicious token with any action value, (2) without signing the cluster ID, (3) that would manipulate the AccessKeyID value.
Essentially, in clusters using aws-iam-authenticator, if an {{AccessKeyID}} was mapped to an IAM user with cluster admin privileges, any non-privileged user could have escalated their privileges to cluster admin.
Affected Services
EKS
Remediation
EKS instances have been auto-updated. For self-hosted installations, upgrading aws-iam-authenticator to v0.5.9 fixes this vulnerability.
As a workaround, this vulnerability can be mitigated by not using the {{AccessKeyID}} template value to construct usernames.
Tracked CVEs
CVE-2022-2385
References
https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aws-iam-authenticatorhttps://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472https://aws.amazon.com/security/security-bulletins/AWS-2022-007/
Contributed by https://github.com/patricksanders
Disclosure Date
Wed, May 25th, 2022
Exploitablity Period
Oct 2017 - June 2022
Known ITW Exploitation
-
Detection Methods
None - this issue affected the logged identity, and is not discernible from valid requests.
Piercing Index Rating
-
Discovered by
Gafnit Amiga, Lightspin
