CLOUD-2022-0025
Amazon Elastic Kubernetes Service (EKS) uses IAM to provide authentication to the cluster through the AWS IAM Authenticator for Kubernetes (aws-iam-authenticator). aws-iam-authenticator can be installed on any Kubernetes cluster, and it is installed by default in any EKS cluster both on AWS cloud and on-premises (Amazon EKS Anywhere). A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges. The bug allowed an attacker to (1) craft a malicious token with any action value, (2) without signing the cluster ID, (3) that would manipulate the AccessKeyID value. Essentially, in clusters using aws-iam-authenticator, if an {{AccessKeyID}} was mapped to an IAM user with cluster admin privileges, any non-privileged user could have escalated their privileges to cluster admin.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| AWS | EKS | |
| AWS | IAM | |
| AWS | Cloud Services | |
| AWS | SES |
Timeline
- Jul 11, 2022 CVE Published
References
- AWS IAM Authenticator for Kubernetes AccessKeyID Validation Bypass advisory
- https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aws-iam-authenticator advisory
- https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472 advisory
- https://aws.amazon.com/security/security-bulletins/AWS-2022-007/ advisory