A severe security bug existed in the AWS IAM Authenticator for Kubernetes. Exploiting this vulnerability could allow an adversary to gain elevated privileges on target Kubernetes clusters. Also, an attacker could impersonate other users. Thankfully, the bug received a fix before exploitation in the wild.
AWS IAM Authenticator for Kubernetes Bug
As elaborated in a recent blog post, the security researcher Gafnit Amiga from Lightspin found a severe authentication bypass bug in AWS IAM Authenticator for Kubernetes.
IAM Authenticator is a dedicated authenticator that Amazon Elastic Kubernetes Service (Amazon EKS) uses to provide authentication to the Kubernetes cluster. This IAM authenticator is located inside the cluster’s control and authenticates users via IAM identities like users and roles.
The researcher analyzed this component and found several vulnerabilities that could allow authentication bypass. The bugs negated any protection against replay attacks. Also, they enabled the adversary to gain elevated privileges to the target cluster.
This vulnerability has received the CVE ID CVE-2022-2385 and a high severity rating. According to the vulnerability description, this bug affects users using the AccessKeyID template parameter to construct usernames and provide subsequent user accesses. It existed in AWS IAM authenticator versions v0.5.2 – v0.5.8. Details about the technical aspects of this vulnerability are available in the researcher’s post.
AWS Fixed The Bug
Following this bug discovery, the researcher highlighted the matter to the AWS security team in May 2022. In response, the EKS team started working on developing a fix that they eventually shared with the researcher for testing on June 10, 2022. The researcher then validated the fix, enabling the vendors to deploy the patch with updated releases. Finally, the patch arrived with AWS IAM authenticator v0.5.9.
Since the fix is out, all users must ensure updating to the latest version to receive the patch and avoid potential exploits. In the cases where applying the update is not possible, the vendors recommend not using the {{AccessKeyID}}
template value parameter for constructing usernames as a mitigation strategy.
Let us know your thoughts in the comments.