Juju Confused Deputy Vulnerability via Predictable Secret IDs

A vulnerability in Juju versions 3.0.0 through 3.6.18 allows a malicious grantee to exploit predictable secret IDs, leading to unauthorized access to resources. When a secret owner grants permissions to a grantee, the owner relies solely on the XID of the secret for verification. This predictability enables grantees to anticipate and misuse past secrets granted to others. Exploitation requires a specific configuration, data semantics, and the deployment of at least two applications, one controlled by the attacker.

Impact

Exploitation allows the grantee to access and manipulate resources associated with the secret owner, potentially leading to unauthorized data exfiltration or modification of resources.

Reproduction

To reproduce this vulnerability, deploy two applications in the same Kubernetes model: one as the 'Good' secret owner and the other as the 'Evil' grantee. Have both applications create secrets and grant them to a 'Provider' application, which acts as the confused deputy. The 'Evil' application can then predict and use the 'Good' application's secret ID to access its resources.

Remediation

Users are advised to update to Juju version 3.6.19, where this vulnerability has been patched.