AWS patched a rather embarrassing Kubernetes bug

Letter capitalisation errors could lead to aws Kubernetes perks being escalated

Amazon Web Services (AWS) has patched a rather embarrassing bug that could allow threat agents to get advanced perks on a cluster of Kubernetes.

AWS has patched a rather embarrassing Kubernetes bug
AWS has patched a rather embarrassing Kubernetes bug

The bug was found in IAM Authenticator for Kubernetes, a plugin tool used by Amazon EKS – a managed storage service used to run and expand Kubernetes applications.

Detailing its findings in a security advisory, AWS explained that the error occurred when the authentication plugin was configured to use the AccessKeyID sample parameter. In all other cases, the user is not harmed.

Duplicate parameter name

The vulnerability was first discovered by Lightspin’s Director of Security Research, Gafnit Amiga. In a blog post (opened in the new tab), she noted: “I found some vulnerabilities in the authentication process that could bypass protection against playback attacks or allow attackers to gain higher permissions in the cluster by impersonating other identities.”

The vulnerability tracked is CVE-2022-2385, Amiga added, explaining that the code should check the capitalization of the parameter, but it is not possible and that leads to errors. Threat agents can create duplicate parameter names and use them to achieve advanced privileges.

However, it is easier said than done. “Because the for loop is not sorted in order, the parameters are not always overwritten in the order we want, so we may need to send the request along with the malicious code to the AWS IAM Authenticator server several times,” Amiga concluded.

All existing EKS clusters were patched late last month, while the new IAM Authenticator for the Kubernetes version is no longer vulnerable to attack, requiring users to take any further action. However, those who store and manage their own Kubernetes clusters and use IAM Authenticator’s AccessKeyID sample parameters, must ensure that the plugin is updated to 0.5.9.

She concluded that the bug was first introduced in late 2017, but it wasn’t until September 2020 that it was exploitable.

Written by admin

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Best technology ETFs

The best tech ETFs

Windows Server 20H2 is reaching end of life soon

Windows Server 20H2 is about to expire