CVE-2022-2385: AWS IAM Authenticator for Kubernetes Privilege Escalation flaw

Amazon issued a security advisory Monday to address a vulnerability (CVE-2022-2385) that could enable an attacker to privilege escalation in the EKS [Elastic Kubernetes Service] cluster. Discovered by Gafnit Amiga of Lightspin, the bug has been rated high.

According to the advisory, the vulnerability affects the AWS IAM Authenticator for Kubernetes. The advisory also offers software updates and workarounds that counter the vulnerabilities found in versions v0.5.2 – v0.5.8 of AWS IAM Authenticator for Kubernetes.

“I found several flaws in the authentication process that could bypass the protection against replay attacks or allow an attacker to gain higher permissions in the cluster by impersonating other identities. An attacker can send two different variables with the same name but with different uppercase, lowercase characters. For example, ‘Action’ and ‘action’,” Amiga wrote in a post.

AWS IAM Authenticator is a tool to use AWS IAM credentials to authenticate to a Kubernetes cluster. The initial work on this tool was driven by Heptio. The project receives contributions from multiple community engineers and is currently maintained by Heptio and Amazon EKS OSS Engineers.

“The researcher identified a query parameter validation issue within the authenticator plugin when configured to use the “AccessKeyID” template parameter within query strings. This issue could have permitted a knowledgeable attacker to escalate privileges within a Kubernetes cluster. Customers who do not use the “AccessKeyID” parameter are not affected by this issue,” according to the company.

“As of June 28, 2022, all EKS clusters worldwide have been updated with a new version of the AWS IAM Authenticator for Kubernetes, containing a fix for this issue,” the company’s advisory added.

CVE-2022-2385 can be mitigated by not using the {{AccessKeyID}} template value to construct usernames.