etcd Authentication and Authorization Bypass Vulnerability Allowing Unauthorized Access to gRPC API Functions

A vulnerability in etcd, a distributed key-value store, allows unauthorized users to bypass authentication and authorization checks in clusters that expose the gRPC API to untrusted or partially trusted clients. This issue is present in etcd versions prior to 3.4.42, 3.5.28, and 3.6.9. In unpatched clusters with etcd authentication enabled, unauthorized users can access the MemberList API to gather cluster topology information, including member IDs and endpoints. They can also misuse the Alarm API to disrupt operations or cause a denial-of-service, interfere with Lease APIs that manage TTL-based keys and lease ownership, and trigger compaction processes that permanently delete historical data, disrupting watch, audit, and recovery operations. While Kubernetes typically uses its own authentication and authorization mechanisms, this vulnerability could still impact certain etcd users.

Impact

Exploitation of this vulnerability could lead to unauthorized access to etcd functions, allowing users to disrupt operations, interfere with key management, and access sensitive cluster topology information. The ability to trigger compaction could also disrupt auditing and recovery processes.

Remediation

Users can upgrade to etcd versions 3.6.9, 3.5.28, or 3.4.42 to address this vulnerability. If an immediate upgrade is not possible, the exposure can be reduced by treating the affected gRPC APIs as unauthenticated, restricting network access to etcd server ports to allow only trusted components to connect, and requiring strong client identity at the transport layer, such as mutual TLS with carefully managed client certificate distribution.