etcd RBAC Authorization Bypass Vulnerability Allowing Unauthorized Data Access

A vulnerability in etcd, a distributed key-value store, allows for an authorization bypass in role-based access control (RBAC) settings. This issue is present in etcd versions prior to 3.4.44, 3.5.30, and 3.6.11. The vulnerability enables an authenticated user lacking sufficient read or lease-related permissions to access unauthorized data or attach leases. This is achieved by using transaction operations that leverage the PrevKv feature or lease attachment in Put requests, bypassing the necessary RBAC checks. While Kubernetes deployments are typically not affected due to their handling of authentication and authorization outside of etcd, the vulnerability could impact other systems relying on etcd's authorization mechanisms.

Impact

Exploitation of this vulnerability could lead to unauthorized access to data or the ability to attach leases, disrupting the intended access controls within the etcd key-value store.

Remediation

Users can upgrade to etcd versions 3.4.44, 3.5.30, or 3.6.11 to address this vulnerability. If an immediate upgrade is not possible, it is recommended to treat the affected RPCs as unauthenticated, restrict network access to etcd server ports to only allow connections from trusted components, and require strong client identity at the transport layer, such as mutual TLS with carefully managed client certificate distribution.