AWS patches 'one bug, three vulnerabilities' authentication error

An error in one line of code in an AWS authentication component has created a trio of security bugs.

Discovered by Gafnit Amiga of Lightspin, the bug is in AWS’ Identity & Access Management (IAM) authenticator for Kubernetes.

“I found several flaws in the authentication process that could bypass the protection against replay attacks or allow an attacker to gain higher permissions in the cluster by impersonating other identities”, Amiga wrote in a post.

Assigned CVE-2022-2385, the bug is a mistake in parameter validation – the guilty line of code doesn’t check the capitalisation of parameters passed to it.

As a result, “an attacker can send two different variables with the same name but with different uppercase, lowercase characters. For example, ‘Action’ and ‘action’,” Amiga wrote.

The most serious effect of the bug is the privilege escalation.

“In AWS IAM Authenticator, an attacker could craft a malicious token that will manipulate the AccessKeyID value," Amiga wrote.

AccessKeyID is the parameter assigned to an authenticated user.

“I could enter any string I want, and AWS IAM Authenticator server will use this string as a replacement to the {{AccessKeyID}} placeholder during the mapping.

“This can lead to privilege escalation in the EKS [Elastic Kubernetes Service] cluster.”

The code error also bypasses protection in the authenticator against replay attacks, Amiga added.

As AWS noted in its advisory: “The researcher identified a query parameter validation issue within the authenticator plugin when configured to use the ‘AccessKeyID’ template parameter within query strings. 

“This issue could have permitted a knowledgeable attacker to escalate privileges within a Kubernetes cluster. Customers who do not use the ‘AccessKeyID’ parameter are not affected by this issue.”

AWS said the problem is fixed both in its cloud products and in the relevant software, for those standing up their own Kubernetes clusters.

“As of June 28, 2022, all EKS clusters worldwide have been updated with a new version of the AWS IAM Authenticator for Kubernetes, containing a fix for this issue," the company’s advisory stated.

Customers who use the AWS IAM Authenticator for Kubernetes within Amazon EKS do not need to take any action to protect themselves.

“Customers who host and manage their own Kubernetes clusters, and who use the authenticator plugin’s ‘AccessKeyID’ template parameter should update the AWS IAM Authenticator for Kubernetes to version 0.5.9."