Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02cjRqLTRyamMtOHZ3Nc4AA-jJ
RBAC Roles for `etcd` created by Kamaji are not disjunct
Summary
Using an "open at the top" range definition in RBAC for etcd roles leads to some TCPs API servers being able to read, write and delete the data of other control planes.
Details
The problematic code is this: https://github.com/clastix/kamaji/blob/8cdc6191242f80d120c46b166e2102d27568225a/internal/datastore/etcd.go#L19-L24
The range created by this RBAC setup code looks like this:
etcdctl role get example
Role example
KV Read:
[/example/, \0)
KV Write:
[/example/, \0)
The range end \0
means "everything that comes after" in etcd, so potentially all the key prefixes of controlplanes with a name that comes after "example" when sorting lexically (e.g. example1
, examplf
, all the way to zzzzzzz
if you will).
PoC
- Create two TCP in the same Namespace
- Scale Kamaji to zero to avoid reconciliations
- change the Kubernetes API Server
--etcd-prefix
flag value to point to the other TCP datastore key - wait it for get it up and running
- use
kubectl
and will notice you're reading and writing data of another Tenant
Impact
Full control over other TCPs data, if you are able to obtain the name of other TCPs that use the same datastore and are able to obtain the user certificates used by your control plane (or you are able to configure the kube-apiserver Deployment, as shown in the PoC).
Permalink: https://github.com/advisories/GHSA-6r4j-4rjc-8vw5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02cjRqLTRyamMtOHZ3Nc4AA-jJ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 2 months ago
Updated: 2 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-6r4j-4rjc-8vw5, CVE-2024-42480
References:
- https://github.com/clastix/kamaji/security/advisories/GHSA-6r4j-4rjc-8vw5
- https://github.com/clastix/kamaji/commit/1731e8c2ed5148b125ecfbdf091ee177bd44f3db
- https://github.com/clastix/kamaji/blob/8cdc6191242f80d120c46b166e2102d27568225a/internal/datastore/etcd.go#L19-L24
- https://nvd.nist.gov/vuln/detail/CVE-2024-42480
- https://github.com/advisories/GHSA-6r4j-4rjc-8vw5
Blast Radius: 0.0
Affected Packages
go:github.com/clastix/kamaji
Dependent packages: 4Dependent repositories: 1
Downloads:
Affected Version Ranges: <= 1.0.0
No known fixed version
All affected versions: 0.0.1, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 1.0.0