Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xNHBwLWozNmgtM2dxZ84AA1e3
Minimal `basti` IAM Policy Allows Shell Access
Summary
The provided Minimal IAM Policy for bastic connect does not include ssm:SessionDocumentAccessCheck. This results in the ability to get a shell session on the bastion, not just the intended access for Port Forwarding.
Details
basti connect is designed to "securely connect to your RDS/Aurora/Elasticache/EC2 instances", using a bastion instance "with AWS Session Manager port forwarding capability to make the target available on your localhost."
The Minimal IAM Policy allows port forwarding via the following statement:
{
"Effect": "Allow",
"Action": "ssm:StartSession",
"Resource": [
"arn:aws:ssm:*:*:document/AWS-StartPortForwardingSessionToRemoteHost",
"arn:aws:ec2:<your-region>:<your-account-id>:instance/<your-basti-instance-id>"
]
}
This statement does not include the following condition:
"Condition": {
"BoolIfExists": {
"ssm:SessionDocumentAccessCheck": "true"
}
}
As a result, the basti connect minimal policy is logically identical to:
{
"Effect": "Allow",
"Action": "ssm:StartSession",
"Resource": [
"arn:aws:ssm:*:*:document/AWS-StartPortForwardingSessionToRemoteHost",
"arn:aws:ssm:*:*:document/SSM-SessionManagerRunShell",
"arn:aws:ec2:<your-region>:<your-account-id>:instance/<your-basti-instance-id>"
]
}
A basti admin would expect users under the minimal policy to be able to port forward. However, they could also get a shell on the bastion.
For more details on this footgun, see: https://ramimac.me/ssm-iam
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Impact
Impact would depend on configuration/hardening of the bastion. I've seen examples where bastions have credentials to downstream systems in configuration or memory that would be exposed.
Permalink: https://github.com/advisories/GHSA-q4pp-j36h-3gqgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xNHBwLWozNmgtM2dxZ84AA1e3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 8 months ago
Updated: 8 months ago
Identifiers: GHSA-q4pp-j36h-3gqg
References:
- https://github.com/BohdanPetryshyn/basti/security/advisories/GHSA-q4pp-j36h-3gqg
- https://github.com/BohdanPetryshyn/basti/commit/f6f218e7cd450e29aeb616960b7abbe8dfc87796
- https://github.com/advisories/GHSA-q4pp-j36h-3gqg
Blast Radius: 0.0
Affected Packages
npm:basti-cdk
Dependent packages: 0Dependent repositories: 1
Downloads: 408 last month
Affected Version Ranges: < 1.0.1
Fixed in: 1.0.1
All affected versions: 1.0.0
All unaffected versions: 1.0.1, 1.0.2, 1.0.3