GHSA-q4pp-j36h-3gqg

Suggest an improvement
Source
https://github.com/advisories/GHSA-q4pp-j36h-3gqg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q4pp-j36h-3gqg/GHSA-q4pp-j36h-3gqg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q4pp-j36h-3gqg
Published
2023-08-24T12:53:06Z
Modified
2023-08-24T12:53:06Z
Summary
Minimal `basti` IAM Policy Allows Shell Access
Details

Summary

The provided Minimal IAM Policy for bastic connect does not include ssm:SessionDocumentAccessCheck. This results in the ability to get a shell session on the bastion, not just the intended access for Port Forwarding.

Details

basti connect is designed to "securely connect to your RDS/Aurora/Elasticache/EC2 instances", using a bastion instance "with AWS Session Manager port forwarding capability to make the target available on your localhost."

The Minimal IAM Policy allows port forwarding via the following statement:

 {
      "Effect": "Allow",
      "Action": "ssm:StartSession",
      "Resource": [
        "arn:aws:ssm:*:*:document/AWS-StartPortForwardingSessionToRemoteHost",
        "arn:aws:ec2:<your-region>:<your-account-id>:instance/<your-basti-instance-id>"
      ]
    }

This statement does not include the following condition:

"Condition": {
    "BoolIfExists": {
        "ssm:SessionDocumentAccessCheck": "true"
    }
}

As a result, the basti connect minimal policy is logically identical to:

 {
      "Effect": "Allow",
      "Action": "ssm:StartSession",
      "Resource": [
        "arn:aws:ssm:*:*:document/AWS-StartPortForwardingSessionToRemoteHost",
        "arn:aws:ssm:*:*:document/SSM-SessionManagerRunShell",
        "arn:aws:ec2:<your-region>:<your-account-id>:instance/<your-basti-instance-id>"
      ]
    }

A basti admin would expect users under the minimal policy to be able to port forward. However, they could also get a shell on the bastion.

For more details on this footgun, see: https://ramimac.me/ssm-iam

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Impact

Impact would depend on configuration/hardening of the bastion. I've seen examples where bastions have credentials to downstream systems in configuration or memory that would be exposed.

References

Affected packages

npm / basti-cdk

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.1