Researchers detailed that the AWS IAM Authenticator for Kubernetes has been affected by a flaw that could allow a malicious actor to impersonate other users and escalate privileges in Kubernetes clusters.
The vulnerability tracked as CVE-2022-2385, could allow an attacker to impersonate other users by craft a malicious signed request to Security Token Service GetCallerIdentity and escalate privileges in Elastic Kubernetes Service (EKS) clusters configured with the AccessKeyID template parameter.
The value in the queryParamsLower dictionary will be overridden while the request to AWS will be sent with both parameters and their values. AWS STS will ignore the parameter it does not expect, in this case, AWS STS will ignore the action parameter.
Since the for loop is not ordered, the parameters are not always overridden in the order we want, therefore we might need to send the request with the malicious token to the AWS IAM Authenticator server multiple times. – Researcher’s statement
The vulnerable root cause was present since the first commit in October 2017. As such, both the changing action and unsigned cluster ID tokens were exploitable since day one. The exploitation of the username through the AccessKeyID was possible since September 2020.
Amazon has since patched the issues and fixed them in version 0.5.9.
This research was conducted and documented by Researcher Gafnit Amiga of Lightspin