Juju Arbitrary Binary Upload Vulnerability Allowing Remote Code Execution

A vulnerability exists in Juju versions prior to 3.6.8 and 2.9.52, allowing any authenticated controller user to upload arbitrary agent binaries to any model or the controller itself. This upload process lacks verification of model membership or the need for explicit permissions. As a result, malicious binaries could be distributed to new or upgraded machines, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows for the upload of poisoned binaries to a Juju controller, which can then be distributed to all machines within the affected model or the controller itself. This could result in remote code execution on those machines. Additionally, the vulnerability could be used to poison the agent binary cache of other Juju controllers through model migration.

Reproduction

To reproduce this vulnerability, first bootstrap a new Juju controller and add a user without permissions or model access. After logging in as this user, upload a malicious agent binary using the Juju client. Once the binary is uploaded, it will be distributed to all machines in the model or the controller, depending on the upgrade process used.

Remediation

Users can upgrade to Juju versions 2.9.52 or 3.6.8, where this vulnerability has been patched.