Coder Privilege Escalation Vulnerability in Prebuilt Workspaces Allowing Cross-Workspace Compromise

A vulnerability in Coder's session management for prebuilt workspaces can lead to privilege escalation and unauthorized access to other workspaces. This issue affects Coder versions 2.22.0 through 2.24.3, as well as 2.25.0 and 2.25.1. The vulnerability arises because the session token for the built-in 'prebuilds' user is not invalidated when a workspace is claimed by another user. As a result, any workspace templates that save this session token could be exploited. The issue is particularly concerning for deployments that use the prebuilt workspaces feature, as it allows a user to access and execute code in other workspaces owned by the 'prebuilds' user.

Impact

Exploitation of this vulnerability could lead to unauthorized access and actions in other workspaces owned by the 'prebuilds' user, including executing code and accessing information from other users.

Reproduction

To reproduce this vulnerability, claim a prebuilt workspace from a template that saves the 'prebuilds' user's session token. This can be done using the 'coder-login' module, which configures the Coder CLI to authenticate with the 'prebuilds' user. After claiming the workspace, the session token for 'prebuilds' will persist, allowing lateral movement to other workspaces or the creation of new workspaces as the 'prebuilds' user.

Remediation

This vulnerability has been fixed in Coder versions 2.24.4, 2.25.2, and 2.26.0. However, workspaces created from prebuilt templates before the fix may still be affected. It is recommended to recreate such workspaces. To identify potentially impacted workspaces, a SQL query can be run against the Coder database.