External Secrets Operator DNS Exfiltration Vulnerability in Templated Resources

A vulnerability exists in External Secrets Operator (ESO) versions 2.2.0 and prior, within the v2 template engine. The issue arises because the engine removes certain functions from Sprig's TxtFuncMap, specifically 'env' and 'expandenv', but allows 'getHostByName' to remain accessible in user-controlled templates. This oversight can be exploited by attackers who can create or modify templated ExternalSecret resources, triggering DNS lookups on the controller side using values derived from secrets. Consequently, this vulnerability enables the exfiltration of secret information through DNS queries, without requiring direct outbound network access from the user's workload. The issue is particularly concerning in environments where untrusted users can create templated ExternalSecrets and the controller can resolve DNS.

Impact

Exploitation of this vulnerability could lead to unauthorized exfiltration of secret data via DNS queries, potentially allowing attackers to access sensitive information without direct network access from their workload.

Reproduction

To reproduce this vulnerability, create or update a templated ExternalSecret resource in an ESO environment running version 2.2.0 or below. The template can include the 'getHostByName' function, which will invoke a DNS lookup on the controller side using secret-derived values. This process can be automated with a script or tool that interacts with the Kubernetes API, such as kubectl or a custom application that manages ExternalSecret resources.

Remediation

Users can upgrade to External Secrets Operator version 2.3.0 or later, where this vulnerability has been fixed.