Kubewarden Admission Policy Privilege Escalation Vulnerability Allowing RBAC Enumeration

A vulnerability exists in Kubewarden, a policy engine for Kubernetes, specifically in version 1.32.0. It allows an attacker with certain privileges to craft a policy that exploits the 'can_i' host callback. This callback bypasses context-aware resource grants and uses policy-server privileges to perform SubjectAccessReview requests, enabling the attacker to enumerate RBAC permissions of any user or service account in the cluster. While this vulnerability does not directly exfiltrate workload data, it creates an authorization gap that could be exploited for information disclosure and reconnaissance purposes.

Impact

Exploitation of this vulnerability allows for unauthorized enumeration of RBAC permissions, revealing whether specific service accounts can perform actions like accessing secrets, creating pods, or binding cluster roles in designated namespaces.

Remediation

To address this vulnerability, cluster operators should deploy PolicyServers with reduced permissions for host capability calls. This can be done by setting the 'PolicyServer.spec.namespacedPoliciesCapabilities' to an empty list for custom PolicyServers or the default PolicyServer. Operators can also remove SubjectAccessReview 'create' permissions for the PolicyServer ServiceAccount RBAC being used.