OpenBao AWS Plugin Cross-Account IAM Role Impersonation Vulnerability

A cross-account impersonation vulnerability has been identified in OpenBao's AWS Plugin, specifically in versions through 0.1.0. This vulnerability allows an IAM role from an untrusted AWS account to authenticate by impersonating a role with the same name in a trusted account, leading to unauthorized access. The issue arises from a flawed caching mechanism that fails to validate the AWS Account ID during authentication. While the vulnerability can be exploited with specific ARN bindings if a role name collision occurs, it is not dependent on wildcards. Successful exploitation could result in unauthorized access to secrets, data exfiltration, and privilege escalation.

Impact

Exploitation of this vulnerability allows for cross-account IAM role impersonation, leading to unauthorized access and potential privilege escalation within the OpenBao environment.

Reproduction

The vulnerability can be reproduced by creating an IAM role in an untrusted AWS account that has the same name as a role in a trusted account. When the role from the untrusted account is used to authenticate, it will be accepted as if it were the trusted role, due to the lack of proper validation of account IDs. This impersonation can then be used to access resources or privileges associated with the trusted role.

Remediation

Users are advised to upgrade to version 0.1.1 of the OpenBao AWS Plugin, where this vulnerability has been patched. For those unable to upgrade immediately, it is crucial to ensure that IAM role names are unique across all AWS accounts that could interact with the OpenBao environment. Auditing AWS organizations to identify and rename duplicate roles is recommended.