AWS IAM Authenticator for Kubernetes AccessKeyID Validation Bypass
Published Mon, Jul 11th, 2022
Platforms
Summary
Amazon Elastic Kubernetes Service (EKS) uses IAM to provide authentication to the cluster through the AWS IAM Authenticator for Kubernetes (aws-iam-authenticator). aws-iam-authenticator can be installed on any Kubernetes cluster, and it is installed by default in any EKS cluster both on AWS cloud and on-premises (Amazon EKS Anywhere). A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges. The bug allowed an attacker to (1) craft a malicious token with any action value, (2) without signing the cluster ID, (3) that would manipulate the AccessKeyID value. Essentially, in clusters using aws-iam-authenticator, if an {{AccessKeyID}} was mapped to an IAM user with cluster admin privileges, any non-privileged user could have escalated their privileges to cluster admin.
Affected Services
EKS
Remediation
EKS instances have been auto-updated. For self-hosted installations, upgrading aws-iam-authenticator to v0.5.9 fixes this vulnerability. As a workaround, this vulnerability can be mitigated by not using the {{AccessKeyID}} template value to construct usernames.
Tracked CVEs
CVE-2022-2385
References
Contributed by https://github.com/patricksanders
Entry Status
Finalized
Disclosure Date
Wed, May 25th, 2022
Exploitability Period
Oct 2017 - June 2022
Known ITW Exploitation
-
Detection Methods
None - this issue affected the logged identity, and is not discernible from valid requests.
Piercing Index Rating
-
Discovered by
Gafnit Amiga, Lightspin
