Security News > 2022 > July > Amazon squashes years-old authentication bugs in AWS Kubernetes service

Amazon squashes years-old authentication bugs in AWS Kubernetes service
2022-07-12 18:45

AWS fixed three authentication bugs present in one line of code in its IAM Authenticator for Kubernetes, used by the cloud giant's popular managed Kubernetes service Amazon EKS, that could allow an attacker to escalate privileges within a Kubernetes cluster.

Amazon updated all EKS clusters worldwide as of June 28, and the new version of the AWS IAM Authenticator for Kubernetes fixes the flaw.

This means customers that use AWS IAM Authenticator for Kubernetes within Amazon EKS don't need to do anything to patch the issue.

Anyone who hosts and manages their own Kubernetes clusters, and uses the authenticator plugin's AccessKeyID template parameter should update the AWS IAM Authenticator for Kubernetes to version 0.5.9.

"Because the for loop is not ordered, the parameters are not always overridden in the order we want, therefore we might need to send the request with the malicious token to the AWS IAM Authenticator server multiple times," Amiga noted.

Lightspin, which was founded by cloud security penetration testers, also discovered a local file read vulnerability in Amazon's Relational Database Service could have been exploited by an attacker to gain access to internal AWS credentials.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/07/12/authentication_bug_aws_kubernetes/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Amazon 64 9 60 39 13 121
Kubernetes 18 12 49 23 5 89