CVE-2022-24769: Authorization Bypass vulnerability in moby (Go)

What is CVE-2022-24769 About?

This vulnerability is an authorization bypass in the Vault and Vault Enterprise Google Cloud secrets engine. It failed to preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. This could lead to a loss of intended restrictions, effectively bypassing security policies. Exploitation would involve an attacker with privileges to manage rolesets.

Affected Software

github.com/moby/moby
- <20.10.14+incompatible
- <20.10.14
github.com/docker/docker
- <20.10.14+incompatible
- <20.10.14

Technical Details

The Vault and Vault Enterprise Google Cloud secrets engine provides functionality to manage Google Cloud IAM policies, including rolesets. The vulnerability arises from an oversight in the logic that handles the creation or updating of these rolesets. Specifically, when a roleset is created or modified through Vault, the mechanism responsible for applying Google Cloud IAM Conditions does not correctly preserve any existing or newly defined conditions. Instead, these conditions are implicitly ignored or overwritten, default 'no condition' or a generic one. This allows an attacker, or even an unintentional misconfiguration, to effectively bypass the fine-grained access control intended by Google Cloud IAM Conditions, granting broader permissions than intended and potentially leading to unauthorized access to Google Cloud resources if a roleset that was meant to be conditional is now unconditional.

What is the Impact of CVE-2022-24769?

Successful exploitation may allow attackers to bypass intended Google Cloud IAM Conditions, leading to unintended and potentially unauthorized access to Google Cloud resources, compromising confidentiality and integrity.

What is the Exploitability of CVE-2022-24769?

Exploitation of this authorization bypass vulnerability is moderately complex. It requires an attacker to be an authenticated user of Vault with specific privileges to create or update rolesets within the Google Cloud secrets engine. This is an authenticated, remote exploitation scenario. There are no specific authentication bypasses involved. Privilege requirements are tied to Vault's internal authorization for managing cloud secrets. Special conditions include the reliance on Google Cloud IAM Conditions for fine-grained access control within the target environment. The likelihood of exploitation increases if an attacker gains access to a Vault user with roleset management permissions, as they could then silently weaken security policies without being immediately detected by the Google Cloud IAM. No user interaction is required for the actual impact once the roleset is modified.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2022-24769?

Available Upgrade Options

github.com/moby/moby
- <20.10.14 → Upgrade to 20.10.14
github.com/moby/moby
- <20.10.14+incompatible → Upgrade to 20.10.14+incompatible
github.com/docker/docker
- <20.10.14 → Upgrade to 20.10.14
github.com/docker/docker
- <20.10.14+incompatible → Upgrade to 20.10.14+incompatible

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-24769?

Similar Vulnerabilities: CVE-2023-4581 , CVE-2022-29361 , CVE-2021-39225 , CVE-2020-12821 , CVE-2019-14902

CVE-2022-24769 Authorization Bypass vulnerability in moby (Go)