Red Hat Cluster Observability Operator Privilege Escalation Vulnerability

A privilege escalation vulnerability exists in the Red Hat Cluster Observability Operator (COO) version 1.3.0. The operator creates a ServiceAccount with ClusterRole when deploying the Namespace-Scoped Custom Resource MonitorStack. This allows a Kubernetes account with only namespaced-level roles to create a MonitorStack in their namespace and elevate permissions to the cluster level by impersonating the ServiceAccount, leading to unauthorized access and potential misuse of cluster-wide privileges.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling a user to gain cluster-level access and permissions.

Reproduction

To reproduce this vulnerability, a Kubernetes account with only namespaced-level roles must be used. Deploy the MonitorStack Custom Resource in an authorized namespace. The operator will create a ServiceAccount with ClusterRole. Once the ServiceAccount is created, it can be used to impersonate and elevate permissions to the cluster level.

Remediation

Users are advised to upgrade to the latest version of the Red Hat Cluster Observability Operator that addresses this vulnerability.