RustFS Privilege Escalation Vulnerability via Flawed IAM Short-Circuit
Vulnerability
A vulnerability in RustFS versions 1.0.0-alpha.13 through 1.0.0-alpha.78 allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting full privileges from the parent account. This flaw arises from a defective 'deny_only' short-circuit in the RustFS IAM, enabling privilege escalation and bypassing session and inline policy restrictions. The issue has been patched in version 1.0.0-alpha.79.
Impact
Exploitation of this vulnerability allows for privilege escalation and authorization bypass, enabling unrestricted access to S3, Admin, and KMS operations, potentially leading to unauthorized data manipulation or access.
Reproduction
The vulnerability can be reproduced by creating a restricted service account with specific policies and then using that account to mint an unrestricted service account. This is done by taking advantage of the 'deny_only' short-circuit, which allows the new account to inherit full privileges from the parent, including access to resources that should be restricted.
Remediation
Users should update to RustFS version 1.0.0-alpha.79 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.