[kubernetes] CVE-2022-2385: aws-iam-authenticator AccessKeyID validation bypass

["Hausler, Micah" <mhausler () amazon com>]

Hello Kubernetes Community,

 

A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their 
username and escalate privileges. 

This issue has been rated high 
(https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), and assigned CVE-2022-2385
Am I vulnerable?
Users are only affected if they use the AccessKeyID template parameter to construct a username and provide different 
levels of access based on the username.
Affected Versions
v0.5.2 - v0.5.8
How do I mitigate this vulnerability?
Upgrading to v0.5.9 mitigates this vulnerability.

Prior to upgrading, this vulnerability can be mitigated by not using the {{AccessKeyID}} template value to construct 
usernames.
Fixed Versions
aws-iam-authenticator v0.5.9
Detection
This issue affected the logged identity, and is not discernible from valid requests.
Additional Details
See the GitHub issue for more details: https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472
Acknowledgements
This vulnerability was reported by Gafnit Amiga from Lightspin

 

 

Micah Hausler

Principal Engineer

Amazon Web Services

Attachment: smime.p7s
Description: