CVE-2023-35165
Overly permissive trust policy vulnerability in aws-cdk-lib (npm)
What is CVE-2023-35165 About?
This critical vulnerability in AWS Cloud Development Kit (CDK) EKS cluster constructs creates overly permissive IAM roles, potentially leading to privilege escalation and data exfiltration. Attackers could assume these roles if they have existing `sts:AssumeRole` permissions, making exploitation relatively easy for insiders. The core issue lies in the use of the account root principal in the trust policies of these roles.
Affected Software
- aws-cdk-lib
- >2.0.0, <2.80.0
- @aws-cdk/aws-eks
- >1.57.0, <1.202.0
Technical Details
The vulnerability affects eks.Cluster and eks.FargateCluster constructs in AWS CDK versions 1.57.0 (for MastersRole), 1.62.0 (for CreationRole) and higher, including v2. It creates two IAM roles: a 'CreationRole' used by Lambda handlers to create and deploy resources onto the cluster, and a 'default MastersRole' with permissions to execute kubectl commands. Both roles are provisioned with an overly permissive trust policy that includes the account root principal. This allows any identity within the AWS account that has sts:AssumeRole permissions on Resource: "*" to assume these highly privileged roles, bypass intended authorization, and gain extensive control over the EKS cluster and related resources. This misconfiguration stems from the CDK's default role creation behavior.
What is the Impact of CVE-2023-35165?
Successful exploitation may allow attackers to achieve privilege escalation, execute unauthorized commands on the EKS cluster, and perform data exfiltration by assuming highly privileged IAM roles.
What is the Exploitability of CVE-2023-35165?
Exploitation complexity is low to medium, as it relies on an existing misconfiguration within the AWS account. Prerequisites include the use of affected CDK versions and the target having eks.Cluster or eks.FargateCluster constructs. Authentication and privilege requirements involve an attacker already possessing sts:AssumeRole permissions for Resource: "*" within the same AWS account. This is a local (within the AWS account) rather than remote exploitation. The primary risk factor is the overly permissive sts:AssumeRole permissions, which allow account-internal identities to assume roles they shouldn't.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-35165?
Available Upgrade Options
- @aws-cdk/aws-eks
- >1.57.0, <1.202.0 → Upgrade to 1.202.0
- aws-cdk-lib
- >2.0.0, <2.80.0 → Upgrade to 2.80.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/aws/aws-cdk
- https://github.com/aws/aws-cdk/security/advisories/GHSA-rx28-r23p-2qc3
- https://osv.dev/vulnerability/GHSA-rx28-r23p-2qc3
- https://github.com/aws/aws-cdk/security/advisories/GHSA-rx28-r23p-2qc3
- https://github.com/aws/aws-cdk/issues/25674
- https://github.com/aws/aws-cdk/issues/25674
- https://nvd.nist.gov/vuln/detail/CVE-2023-35165
What are Similar Vulnerabilities to CVE-2023-35165?
Similar Vulnerabilities: CVE-2023-37920 , CVE-2022-23588 , CVE-2021-22904 , CVE-2020-7667 , CVE-2019-14287
