CVE-2022-23551

AAD Pod Identity obtaining token with backslash

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request (example: `/metadata/identity\oauth2\token/`) would bypass the NMI validation and be sent to IMDS allowing a pod in the cluster to access identities that it shouldn't have access to. This issue has been fixed and has been included in AAD Pod Identity release version 1.8.13. If using the AKS pod-managed identities add-on, no action is required. The clusters should now be running the version 1.8.13 release.

aad-pod-identity asigna identidades de Azure Active Directory a aplicaciones de Kubernetes y ahora quedó obsoleto a partir del 24 de octubre de 2022. El componente NMI en AAD Pod Identity intercepta y valida solicitudes de token según expresiones regulares. En este caso, una solicitud de token realizada con una barra invertida en la solicitud (ejemplo: `/metadata/identity\oauth2\token/`) omitirá la validación de NMI y se enviará a IMDS, lo que permitirá que un pod en el clúster acceda a identidades a las que no debería tener acceso. Este problema se solucionó y se incluyó en la versión 1.8.13 de AAD Pod Identity. Si utiliza el complemento de identidades administradas por pods de AKS, no es necesario realizar ninguna acción. Los clústeres ahora deberían ejecutar la versión 1.8.13.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

Low

Attack Vector

Local

Attack Complexity

Low

Authentication

Multiple

Confidentiality

Partial

Integrity

Complete

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-19 CVE Reserved
2022-12-21 CVE Published
2024-08-03 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-863: Incorrect Authorization
CWE-1259: Improper Restriction of Security Token Assignment

CAPEC

References (3)

URL	Tag	Source
https://github.com/Azure/aad-pod-identity/releases/tag/v1.8.13	Third Party Advisory
https://github.com/Azure/aad-pod-identity/security/advisories/GHSA-p82q-rxpm-hjpc	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/Azure/aad-pod-identity/commit/7e01970391bde6c360d077066ca17d059204cb5d	2023-01-04

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microsoft Search vendor "Microsoft"		Azure Ad Pod Identity Search vendor "Microsoft" for product "Azure Ad Pod Identity"				< 1.8.13 Search vendor "Microsoft" for product "Azure Ad Pod Identity" and version " < 1.8.13"		-		Affected