Impact
A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elevated permissions in the clusters, only if all of the following conditions were true:
- The Pinniped Supervisor is configured with either an LADPIdentityProvider or an ActiveDirectoryIdentityProvider resource
- The user somehow had the ability to edit some part of the distinguished name (DN) of user entries in the LDAP or Active Directory (AD) server's database
- The user knows the password for the edited LDAP user entry (i.e. the user is a legitimate user)
An attack would involve the attacker changing the common name (CN) of their user entry on the LDAP or AD server to include special characters, which could be used to perform LDAP query injection on the Supervisor's LDAP query which determines their Kubernetes group membership.
Generally, users cannot edit LDAP entries, in which case this attack would first require compromising the LDAP server's security.
If you use the Pinniped Supervisor with either an LADPIdentityProvider or an ActiveDirectoryIdentityProvider resource, and your end users are able to change any part of their DN in their LDAP entry on the LDAP or AD server, then you should immediately upgrade Pinniped to v0.17.0.
Patches
The Pinniped Supervisor's LADPIdentityProvider feature was first introduced in v0.9.0. Previous versions were not effected.
The fix was introduced in release v0.17.0.
Workarounds
Preventing attackers from being able to edit their LDAP user entry prevents them from controlling the inputs required to make this attack.
References
The issue was fixed by PR #1148.
For more information
If you have any questions or comments about this advisory, please reach out to the maintainers using one of the methods described in this repo's README.md.
Impact
A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elevated permissions in the clusters, only if all of the following conditions were true:
An attack would involve the attacker changing the common name (CN) of their user entry on the LDAP or AD server to include special characters, which could be used to perform LDAP query injection on the Supervisor's LDAP query which determines their Kubernetes group membership.
Generally, users cannot edit LDAP entries, in which case this attack would first require compromising the LDAP server's security.
If you use the Pinniped Supervisor with either an LADPIdentityProvider or an ActiveDirectoryIdentityProvider resource, and your end users are able to change any part of their DN in their LDAP entry on the LDAP or AD server, then you should immediately upgrade Pinniped to v0.17.0.
Patches
The Pinniped Supervisor's LADPIdentityProvider feature was first introduced in v0.9.0. Previous versions were not effected.
The fix was introduced in release v0.17.0.
Workarounds
Preventing attackers from being able to edit their LDAP user entry prevents them from controlling the inputs required to make this attack.
References
The issue was fixed by PR #1148.
For more information
If you have any questions or comments about this advisory, please reach out to the maintainers using one of the methods described in this repo's README.md.