Devtron Attributes API Unauthorized Access Leading to API Token Signing Key Leakage

A vulnerability in Devtron's Attributes API interface allows any authenticated user, including low-privileged CI/CD Developers, to access the global API Token signing key. This is achieved by querying the '/orchestrator/attributes?key=apiTokenSecret' endpoint. The vulnerability arises because the authorization checks for this API have been disabled, enabling unauthorized access to sensitive information. Once the API Token signing key is obtained, it can be used to forge JWT tokens for any user, granting complete control over the Devtron platform and access to the underlying Kubernetes cluster.

Impact

Exploitation of this vulnerability allows for unauthorized access to the API Token signing key, which can be used to forge JWT tokens for any user. This grants the attacker full administrative privileges on the Devtron platform, including access to sensitive information and configurations. Additionally, it allows for lateral movement into the connected Kubernetes cluster, where further malicious activities can be conducted.

Reproduction

To reproduce this vulnerability, log into the Devtron platform as a user with low privileges. Once authenticated, send a GET request to the '/orchestrator/attributes?key=apiTokenSecret' endpoint. This request can be made using a tool like curl or Postman. The response will include the API Token signing key, which can then be extracted and used to forge JWT tokens for any user.

Remediation

Devtron has released a patch for this vulnerability. Users should update to the latest version of Devtron. Additionally, as a temporary measure, network-level restrictions can be applied to limit access to the Attributes API. This can be done using Kubernetes NetworkPolicies to allow only admin users to access sensitive endpoints.