OpenBao AWS Plugin Vulnerable to Cross-Account IAM Role Impersonation in AWS Auth Method

説明

Impact

This is a cross-account impersonation vulnerability in the auth-aws plugin. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by impersonating a role with the same name in a trusted account, leading to unauthorized access.

This impacts all users of the auth-aws plugin who operate in a multi-account AWS environment where IAM role names may not be unique across accounts.

The core of the vulnerability is a flawed caching mechanism that fails to validate the AWS Account ID during authentication. While the use of wildcards in a bound_iam_principal_arn configuration significantly increases the attack surface, wildcards are not a prerequisite for exploitation. The vulnerability can be exploited with specific ARN bindings if a role name collision occurs.

Successful exploitation can lead to unauthorized access to secrets, data exfiltration, and privilege escalation. Given that the only prerequisite is a duplicate role name, the severity is considered high.

Patches

This vulnerability has been patched in version 0.1.1 of the auth-aws plugin.
Users are advised to upgrade to version 0.1.1 or later to remediate this vulnerability.

Workarounds

For users who are unable to upgrade to version 0.1.1 immediately, the most effective workaround is to guarantee that IAM role names are unique across all AWS accounts that could potentially interact with your OpenBao environment. This is the most critical mitigation step.

Primary Mitigation: Audit your AWS organizations to identify and rename any duplicate IAM role names. Enforce a naming convention that includes account-specific identifiers to prevent future collisions.

While removing wildcards from your bound_iam_principal_arn configuration is still recommended as a security best practice, it will not mitigate this vulnerability if duplicate role names exist.

Credits

This vulnerability was discovered and reported by Pavlos Karakalidis

基本情報

タイプ
reviewed
深刻度
high
GitHub 上のアドバイザリ
アドバイザリを開く ↗
リポジトリのアドバイザリ
リポジトリのアドバイザリを開く ↗
ソースコード
ソースを見る ↗
公開(アドバイザリ)
2025-10-23 16:01:27 UTC
更新
2025-10-23 16:01:28 UTC
GitHub レビュー済み
2025-10-23 16:01:27 UTC

EPSS Score

Score Percentile
0.04% 12.37%

CVSS Scores

Base score Version Severity Vector
8.1 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N クリックして展開
攻撃ベクター (AV:N)
インターネットなど、ルーティングされたネットワーク越しに遠隔から悪用しうる。端末の前にいる必要はない。
攻撃の複雑さ (AC:L)
攻撃者が条件を満たせば、レース条件や珍しい構成に依存せずに再現しやすい。
必要な権限 (PR:L)
一般ユーザー権限があれば足り、管理者(root 相当)は不要。
ユーザーの関与 (UI:N)
メールのリンクを開く、マクロを有効にするなど、被害者の協力がなくても成立しうる。
スコープ (S:U)
影響は脆弱コンポーネントと同一のセキュリティ権限・信頼境界の内側に収まる。
機密性への影響 (C:H)
広範な機微データの読み取りや持ち出しが現実的。
完全性への影響 (I:H)
権限の奪取や広範なログ改竄など、システムの信頼根拠を揺るがす改ざんが現実的。
可用性への影響 (A:N)
業務継続に支障が出るレベルの停止や劣化は想定されない。

Identifiers

CWEs

CWE id Name
CWE-694 Use of Multiple Resources with Duplicate Identifier
CWE-863 Incorrect Authorization

Credits

  • pkarakal (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/openbao/openbao-plugins <= 0.1.0 0.1.1

References

cvelogic Threat Intelligence