[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [kubernetes] CVE-2022-2385: aws-iam-authenticator AccessKeyID validation bypass
From: "Hausler, Micah" <mhausler () amazon ! com>
Date: 2022-07-11 16:42:12
Message-ID: C5315523-3149-4845-9560-36D35AD65D2B () amazon ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello Kubernetes Community,
A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may \
be able to modify their username and escalate privileges.
This issue has been rated high \
(https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), and \
assigned CVE-2022-2385 Am I vulnerable?
Users are only affected if they use the AccessKeyID template parameter to construct a username \
and provide different levels of access based on the username. Affected Versions
v0.5.2 - v0.5.8
How do I mitigate this vulnerability?
Upgrading to v0.5.9 mitigates this vulnerability.
Prior to upgrading, this vulnerability can be mitigated by not using the {{AccessKeyID}} \
template value to construct usernames. Fixed Versions
aws-iam-authenticator v0.5.9
Detection
This issue affected the logged identity, and is not discernible from valid requests.
Additional Details
See the GitHub issue for more details: \
https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472 Acknowledgements
This vulnerability was reported by Gafnit Amiga from Lightspin
Micah Hausler
Principal Engineer
Amazon Web Services
[Attachment #5 (text/html)]
<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; \
charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!-- \
/* Font Definitions */ @font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Calibri",sans-serif;
font-weight:bold;}
h4
{mso-style-priority:9;
mso-style-link:"Heading 4 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Calibri",sans-serif;
font-weight:bold;}
span.Heading4Char
{mso-style-name:"Heading 4 Char";
mso-style-priority:9;
mso-style-link:"Heading 4";
font-family:"Calibri",sans-serif;
font-weight:bold;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:434054195;
mso-list-template-ids:-80285870;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:666515927;
mso-list-template-ids:1909201828;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style></head><body lang=EN-US link="#0563C1" vlink="#954F72" \
style='word-wrap:break-word'><div class=WordSection1><p \
style='margin:0in;background:white'><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#24292F'>Hello Kubernetes \
Community,</span><span style='color:black'><o:p></o:p></span></p><p \
style='margin:0in;background:white;caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: \
auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: \
0px;word-spacing:0px'><span style='color:black'> <o:p></o:p></span></p><p \
style='margin:0in;background:white;caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: \
auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: \
0px;word-spacing:0px'><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#24292F'>A security issue was \
discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify \
their username and escalate privileges. </span><span \
style='color:black'><o:p></o:p></span></p><p \
style='margin-bottom:12.0pt;background:white;caret-color: rgb(0, 0, 0);font-variant-caps: \
normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: \
auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#24292F'>This issue has been \
rated</span><span class=apple-converted-space><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#24292F'> </span></span><b><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#24292F'>high</span></b><span \
class=apple-converted-space><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#24292F'> </span></span><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#24292F'>(</span><span \
style='color:black'><a \
href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" \
title="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#1155CC'>https://www.first.org/cvss \
/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N</span></a></span><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#24292F'>), and assigned \
CVE-2022-2385</span><span style='color:black'><o:p></o:p></span></p><h3 \
style='margin-bottom:12.0pt;background:white;caret-color: rgb(0, 0, 0);font-variant-caps: \
normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: \
auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span \
style='font-size:16.5pt;font-family:"Arial",sans-serif;color:#24292F'>Am I \
vulnerable?</span><span style='color:black'><o:p></o:p></span></h3><p \
style='margin-bottom:12.0pt;background:white;caret-color: rgb(0, 0, 0);font-variant-caps: \
normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: \
auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span \
style='font-family:"Arial",sans-serif;color:black'>Users are only affected if they use the \
AccessKeyID template parameter to construct a username and provide different levels of access \
based on the username.</span><span style='color:black'><o:p></o:p></span></p><h4 \
style='margin-bottom:12.0pt;background:white;caret-color: rgb(0, 0, 0);font-variant-caps: \
normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: \
auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span \
style='font-size:13.5pt;font-family:"Arial",sans-serif;color:#24292F'>Affected \
Versions</span><span style='font-size:13.5pt;color:black'><o:p></o:p></span></h4><ul \
style='margin-top:0in;caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: \
auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: \
0px;padding-inline-start: 48px;word-spacing:0px' type=disc><li class=MsoNormal \
style='color:#24292F;margin-bottom:12.0pt;mso-list:l1 level1 \
lfo1;background:white;vertical-align:baseline'><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif'>v0.5.2 - \
v0.5.8</span><o:p></o:p></li></ul><h3 style='margin-bottom:12.0pt;background:white;caret-color: \
rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: \
auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span \
style='font-size:16.5pt;font-family:"Arial",sans-serif;color:#24292F'>How do I mitigate this \
vulnerability?</span><span style='color:black'><o:p></o:p></span></h3><p \
style='margin:0in;background:white;caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: \
auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: \
0px;word-spacing:0px'><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#24292F'>Upgrading to v0.5.9 \
mitigates this vulnerability.</span><span style='color:black'><o:p></o:p></span></p><p \
style='margin-bottom:12.0pt;background:white;caret-color: rgb(0, 0, 0);font-variant-caps: \
normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: \
auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#24292F'>Prior to upgrading, this \
vulnerability can be mitigated by not using the {{AccessKeyID}} template value to construct \
usernames.</span><span style='color:black'><o:p></o:p></span></p><h4 \
style='margin-bottom:12.0pt;background:white;caret-color: rgb(0, 0, 0);font-variant-caps: \
normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: \
auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span \
style='font-size:13.5pt;font-family:"Arial",sans-serif;color:#24292F'>Fixed \
Versions</span><span style='font-size:13.5pt;color:black'><o:p></o:p></span></h4><ul \
style='margin-top:0in;caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: \
auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: \
0px;padding-inline-start: 48px;word-spacing:0px' type=disc><li class=MsoNormal \
style='color:#24292F;margin-bottom:12.0pt;mso-list:l0 level1 \
lfo2;background:white;vertical-align:baseline'><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif'>aws-iam-authenticator \
v0.5.9</span><o:p></o:p></li></ul><h3 style='margin-bottom:12.0pt;background:white;caret-color: \
rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: \
auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span \
style='font-size:16.5pt;font-family:"Arial",sans-serif;color:#24292F'>Detection</span><span \
style='color:black'><o:p></o:p></span></h3><p \
style='margin-bottom:12.0pt;background:white;caret-color: rgb(0, 0, 0);font-variant-caps: \
normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: \
auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#24292F'>This issue affected the \
logged identity, and is not discernible from valid requests.</span><span \
style='color:black'><o:p></o:p></span></p><h4 \
style='margin-bottom:12.0pt;background:white;caret-color: rgb(0, 0, 0);font-variant-caps: \
normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: \
auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span \
style='font-size:13.5pt;font-family:"Arial",sans-serif;color:#24292F'>Additional \
Details</span><span style='font-size:13.5pt;color:black'><o:p></o:p></span></h4><p \
style='margin-bottom:12.0pt;background:white;caret-color: rgb(0, 0, 0);font-variant-caps: \
normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: \
auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#24292F'>See the GitHub issue for \
more details:</span><span class=apple-converted-space><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#24292F'> </span></span><span \
style='color:black'><a \
href="https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472" \
title="https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472"><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#1155CC'>https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472</span></a><o:p></o:p></span></p><h4 \
style='margin-bottom:12.0pt;background:white;caret-color: rgb(0, 0, 0);font-variant-caps: \
normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: \
auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span \
style='font-size:13.5pt;font-family:"Arial",sans-serif;color:#24292F'>Acknowledgements</span><span \
style='font-size:13.5pt;color:black'><o:p></o:p></span></h4><p \
style='margin-bottom:12.0pt;background:white;caret-color: rgb(0, 0, 0);font-variant-caps: \
normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: \
auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span \
style='font-size:12.0pt;font-family:"Arial",sans-serif;color:#24292F'>This vulnerability was \
reported by Gafnit Amiga from Lightspin</span><span \
style='color:black'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p \
class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal><span \
style='color:black'>Micah Hausler</span><span \
style='font-size:12.0pt;color:black'><o:p></o:p></span></p><p class=MsoNormal><span \
style='color:black'>Principal Engineer</span><span \
style='font-size:12.0pt;color:black'><o:p></o:p></span></p><p class=MsoNormal><span \
style='color:black'>Amazon Web Services</span><span \
style='font-size:12.0pt;color:black'><o:p></o:p></span></p></div></div><p \
class=MsoNormal><o:p> </o:p></p></div></body></html>
["smime.p7s" (application/pkcs7-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic