Harmonix on AWS Privilege Escalation Vulnerability in EKS Environment

A privilege escalation vulnerability has been identified in the Harmonix on AWS framework, specifically within the EKS environment provisioning role. This vulnerability arises from an overly-permissive IAM trust policy that allows authenticated users to assume roles with administrative privileges. The issue affects Harmonix on AWS versions 0.3.0 prior to 0.4.1. The misconfiguration enables any account principal with sts:AssumeRole permissions to assume the role, potentially compromising the security of AWS accounts where this version of Harmonix has been deployed.

Impact

Exploitation of this vulnerability allows authenticated users to escalate privileges by assuming roles with administrative rights, thereby potentially compromising the security of the AWS account.

Remediation

Users are advised to upgrade to Harmonix on AWS version 0.4.2 or later. If an immediate upgrade is not possible, review and restrict the IAM trust policies for roles created by Harmonix on AWS, particularly the EKS environment provisioning role, to ensure they do not unnecessarily trust the account root principal.