A vulnerability in AWS IAM Authenticator for Kubernetes could allow a malicious actor to impersonate other users and escalate privileges in Kubernetes clusters, a security researcher has discovered.
Tracked as CVE-2022-2385, the now-patched vulnerability could allow an attacker to impersonate other users and escalate privileges in Elastic Kubernetes Service (EKS) clusters configured with AccessKeyID template parameter.
An attacker could craft a malicious signed request to Security Token Service (STS) GetCallerIdentity endpoint that includes the same parameter multiple times with different values.
Authentication bypass
Researcher Gafnit Amiga of Lightspin detailed in a blog post how an attacker can send two different variables with the same name but with different uppercase and lowercase characters – for example, they are able to send both ‘Action’ and ‘action’.
Amiga explained: “Since both [variables in the vulnerable code] are… ‘ToLower’, the value in the queryParamsLower dictionary will be overridden while the request to AWS will be sent with both parameters and their values.
“The cool thing is that AWS STS will ignore the parameter it does not expect, in this case AWS STS will ignore the action parameter.
Amiga wrote: “Because the for loop is not ordered, the parameters are not always overridden in the order we want, therefore we might need to send the request with the malicious token to the AWS IAM Authenticator server multiple times.
The vulnerable root cause was present since the first commit in October 2017. As such, both the changing action and unsigned cluster ID tokens were exploitable since day one.
The exploitation of the username through the AccessKeyID was possible since September 2020.
Fixes issued
Amiga told The Daily Swig that the vulnerability was difficult to locate, and that it was also tricky to notice that values can be overridden while STS ignores unexpected additional request parameters.
“I tried other attack vectors hoping to manipulate the HTTP client, but they protected against them,” Amiga said.
Amazon has since patched the issues which Amiga said has “improved the process significantly”. The researcher added: “The entire process was one month, and they kept me updated during the process. We also coordinated the disclosure.”
The updates are fixed in version 0.5.9. More information can be found in Amazon’s security bulletin.