Summary
Amazon Elastic Kubernetes Service (EKS) uses IAM to provide authentication to the cluster
through the AWS IAM Authenticator for Kubernetes (aws-iam-authenticator). Multiple issues
were identified in the authenticator that could have allowed exploitation, namely (1) a
lax regular expression used to verify presigned URLs; (2) HTTP client redirect follow
(due to using Golang HTTP client in its default configuration); (3) use of the Golang URL.Query
function (which silently drops parameters that Go considers invalid, rather than raising
an error and rejecting invalid tokens); and (4) no verification that the cluster uses Go
versions newer than 1.12 (as older versions are vulnerable to request smuggling).
Affected Services
EKS
Remediation
None required
Tracked CVEs
No tracked CVEs
References
https://bugs.chromium.org/p/project-zero/issues/detail?id=2066https://github.com/kubernetes-sigs/aws-iam-authenticator/pull/341
Contributed by https://github.com/korniko98
Disclosure Date
Wed, Jul 15th, 2020
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Felix Wilhelm, Google
