AWS fixed three authentication bugs present in one line of code in its IAM Authenticator for Kubernetes, used by the cloud giant’s popular managed Kubernetes service Amazon EKS, that could allow an attacker to escalate privileges within a Kubernetes cluster.
“I found several flaws in the authentication process that could bypass the protection against replay attacks or allow an attacker to gain higher permissions in the cluster by impersonating other identities,” explained Lightspin’s Director of Security Research Gafnit Amiga in a report this week about the vulnerabilities.
As AWS noted in its security advisory, the buggy code existed in the authenticator plugin when it’s configured to use the AccessKeyID template parameter. Customers who do not use the AccessKeyID parameter are not affected by this issue.
Amazon updated all EKS clusters worldwide as of June 28, and the new version of the AWS IAM Authenticator for Kubernetes fixes the flaw. This means customers that use AWS IAM Authenticator for Kubernetes within Amazon EKS don’t need to do anything to patch the issue.
However, anyone who hosts and manages their own Kubernetes clusters, and uses the authenticator plugin’s AccessKeyID template parameter should update the AWS IAM Authenticator for Kubernetes to version 0.5.9.
The security issues, tracked as CVE-2022-2385, occurred because of this code line in the parameter validation, according to Amiga. It’s supposed to check the capitalization of the parameter — “for example, ‘Action’ and ‘action,'” she explained — but it didn’t. This allowed duplicated parameters names, which a miscreant could use to escalate privileges.
This isn’t an easy exploit. “Because the for loop is not ordered, the parameters are not always overridden in the order we want, therefore we might need to send the request with the malicious token to the AWS IAM Authenticator server multiple times,” Amiga noted.
The flaws have been around for some time. “The vulnerable root cause was in AWS IAM Authenticator since first commit (Oct 12, 2017), therefore both changing action and unsigned cluster ID tokens were exploitable since day one,” Amiga explained.
Meanwhile, it is possible to have exploited the username through the AccessKeyID since September 2, 2020, when AWS added this feature.
So let’s hope that the cloud security bug hunters found these flaws before anyone found and used them for more nefarious purposes.
Lightspin, which was founded by cloud security penetration testers, also discovered a local file read vulnerability in Amazon’s Relational Database Service (RDS) could have been exploited by an attacker to gain access to internal AWS credentials. By April AWS had applied an initial patch and worked with customers to mitigate the vulnerability. ®