Letter capitalisation errors could lead to aws Kubernetes perks being escalated
Amazon Web Services (AWS) has patched a rather embarrassing bug that could allow threat agents to get advanced perks on a cluster of Kubernetes.
The bug was found in IAM Authenticator for Kubernetes, a plugin tool used by Amazon EKS – a managed storage service used to run and expand Kubernetes applications.
Detailing its findings in a security advisory, AWS explained that the error occurred when the authentication plugin was configured to use the AccessKeyID sample parameter. In all other cases, the user is not harmed.
Duplicate parameter name
The vulnerability was first discovered by Lightspin’s Director of Security Research, Gafnit Amiga. In a blog post (opened in the new tab), she noted: “I found some vulnerabilities in the authentication process that could bypass protection against playback attacks or allow attackers to gain higher permissions in the cluster by impersonating other identities.”
The vulnerability tracked is CVE-2022-2385, Amiga added, explaining that the code should check the capitalization of the parameter, but it is not possible and that leads to errors. Threat agents can create duplicate parameter names and use them to achieve advanced privileges.
However, it is easier said than done. “Because the for loop is not sorted in order, the parameters are not always overwritten in the order we want, so we may need to send the request along with the malicious code to the AWS IAM Authenticator server several times,” Amiga concluded.
All existing EKS clusters were patched late last month, while the new IAM Authenticator for the Kubernetes version is no longer vulnerable to attack, requiring users to take any further action. However, those who store and manage their own Kubernetes clusters and use IAM Authenticator’s AccessKeyID sample parameters, must ensure that the plugin is updated to 0.5.9.
She concluded that the bug was first introduced in late 2017, but it wasn’t until September 2020 that it was exploitable.