CVE-2024-43403

Name of the Vulnerable Software and Affected Versions Kanister (affected versions not specified)

Description Kanister is a data protection workflow management tool. The kanister has a deployment called default-kanister-operator, which is bound with a ClusterRole called edit via ClusterRoleBinding. The "edit" ClusterRole is one of Kubernetes default-created ClusterRole, and it has the create/patch/update verbs of daemonset resources, create verb of serviceaccount/token resources, and impersonate verb of serviceaccounts resources. A malicious user can leverage access to the worker node which has this component to make a cluster-level privilege escalation. This can be achieved by abusing the create/patch/update verbs of daemonset resources to create or modify a set of Pods to mount a high-privilege service account, or by using the create verb of serviceaccount/token resources to generate new Service Account tokens and operate with high-privilege roles. Additionally, the impersonate verb of serviceaccounts resources can be used to impersonate high-privilege Service Accounts, thereby gaining access to roles such as cluster administrators.

Recommendations To mitigate this issue, set the rbac.create flag to false in the kanister helm chart, which controls whether the rbac rules for the kanister service account will be created. This will require the user to create rbac rules themselves and limit the role bindings for the kanister service account, for example, scope it to a specific namespace. The service account can also be configured via helm to restrict its privileges. As a temporary workaround, consider restricting access to the default-kanister-operator deployment and the edit ClusterRole to minimize the risk of exploitation.