RustFS Incorrect IAM Permission Validation in ImportIAM API Allows Privilege Escalation

A vulnerability exists in RustFS versions prior to 1.0.0-alpha.79, where the ImportIam admin API incorrectly validates permissions. It uses ExportIAMAction for authorization instead of the correct ImportIAMAction. This flaw allows a principal with export-only IAM permissions to perform import operations, which involve privileged write actions such as creating or updating users, groups, policies, and service accounts. As a result, this vulnerability can lead to unauthorized modifications of IAM data and privilege escalation.

Impact

Exploitation of this vulnerability allows unauthorized changes to IAM entities, such as users, groups, policies, and service accounts, potentially leading to elevated privileges within the system.

Reproduction

To reproduce this vulnerability, first, ensure that a RustFS deployment with IAM enabled is available. Then, create or obtain an IAM principal with Export IAM permissions but without Import IAM or full admin rights. After securing access credentials for this principal, prepare a valid IAM import ZIP archive containing a new policy with administrative rights and a user or service account associated with that policy. Finally, send a request to the Import IAM endpoint using the export-only credentials. The request should be authorized and successfully modify the IAM state, demonstrating the vulnerability.

Remediation

Users should update to RustFS version 1.0.0-alpha.79 or later, where this vulnerability has been fixed.