GHSA-6R4J-4RJC-8VW5

Vulnerability from github – Published: 2024-08-12 18:22 – Updated: 2024-11-18 16:27
VLAI?
Summary
RBAC Roles for `etcd` created by Kamaji are not disjunct
Details

Summary

Using an "open at the top" range definition in RBAC for etcd roles leads to some TCPs API servers being able to read, write and delete the data of other control planes.

Details

The problematic code is this: https://github.com/clastix/kamaji/blob/8cdc6191242f80d120c46b166e2102d27568225a/internal/datastore/etcd.go#L19-L24

The range created by this RBAC setup code looks like this:

etcdctl role get example
Role example
KV Read:
    [/example/, \0)
KV Write:
    [/example/, \0)

The range end \0 means "everything that comes after" in etcd, so potentially all the key prefixes of controlplanes with a name that comes after "example" when sorting lexically (e.g. example1, examplf, all the way to zzzzzzz if you will).

PoC

  1. Create two TCP in the same Namespace
  2. Scale Kamaji to zero to avoid reconciliations
  3. change the Kubernetes API Server --etcd-prefix flag value to point to the other TCP datastore key
  4. wait it for get it up and running
  5. use kubectl and will notice you're reading and writing data of another Tenant

Impact

Full control over other TCPs data, if you are able to obtain the name of other TCPs that use the same datastore and are able to obtain the user certificates used by your control plane (or you are able to configure the kube-apiserver Deployment, as shown in the PoC).

Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/clastix/kamaji"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-42480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-12T18:22:06Z",
    "nvd_published_at": "2024-08-12T16:15:15Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n_Using an \"open at the top\" range definition in RBAC for etcd roles leads to some TCPs API servers being able to read, write and delete the data of other control planes._\n\n### Details\n\nThe problematic code is this: https://github.com/clastix/kamaji/blob/8cdc6191242f80d120c46b166e2102d27568225a/internal/datastore/etcd.go#L19-L24\n\nThe range created by this RBAC setup code looks like this:\n\n```\netcdctl role get example\nRole example\nKV Read:\n\t[/example/, \\0)\nKV Write:\n\t[/example/, \\0)\n```\n\nThe range end `\\0` means \"everything that comes after\" in etcd, so potentially all the key prefixes of controlplanes with a name that comes after \"example\" when sorting lexically (e.g. `example1`, `examplf`, all the way to `zzzzzzz` if you will).\n\n### PoC\n\n1. Create two TCP in the same Namespace\n2. Scale Kamaji to zero to avoid reconciliations\n3. change the Kubernetes API Server `--etcd-prefix` flag value  to point to the other TCP datastore key\n4. wait it for get it up and running\n5. use `kubectl` and will notice you\u0027re reading and writing data of another Tenant\n\n### Impact\n\nFull control over other TCPs data, if you are able to obtain the name of other TCPs that use the same datastore and are able to obtain the user certificates used by your control plane (or you are able to configure the kube-apiserver Deployment, as shown in the PoC).\n",
  "id": "GHSA-6r4j-4rjc-8vw5",
  "modified": "2024-11-18T16:27:03Z",
  "published": "2024-08-12T18:22:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/clastix/kamaji/security/advisories/GHSA-6r4j-4rjc-8vw5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42480"
    },
    {
      "type": "WEB",
      "url": "https://github.com/clastix/kamaji/commit/1731e8c2ed5148b125ecfbdf091ee177bd44f3db"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/clastix/kamaji"
    },
    {
      "type": "WEB",
      "url": "https://github.com/clastix/kamaji/blob/8cdc6191242f80d120c46b166e2102d27568225a/internal/datastore/etcd.go#L19-L24"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "RBAC Roles for `etcd` created by Kamaji are not disjunct"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.