Skip to content

Legacy Node API Allows Impersonation in github.com/spiffe/spire/pkg/server/endpoints/node

High severity GitHub Reviewed Published Mar 4, 2021 in spiffe/spire • Updated Oct 2, 2023

Package

gomod github.com/spiffe/spire (Go)

Affected versions

>= 0.8.1, < 0.8.5
>= 0.9.0, < 0.9.4
>= 0.10.0, < 0.10.2
>= 0.11.0, < 0.11.3
>= 0.12.0, < 0.12.1

Patched versions

0.8.5
0.9.4
0.10.2
0.11.3
0.12.1

Description

Summary

In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3 and 0.12.1, specially crafted requests to the FetchX509SVID RPC of SPIRE Server’s Legacy Node API (github.com/spiffe/spire/pkg/server/endpoints/node) can result in the possible issuance of an X.509 certificate with a URI SAN for a SPIFFE ID that the agent is not authorized to distribute. Proper controls are in place to require that the caller presents a valid agent certificate that is already authorized to issue at least one SPIFFE ID, and the requested SPIFFE ID belongs to the same trust domain, prior to being able to trigger this vulnerability. This issue has been fixed in SPIRE versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1.

What are the changes introduced by the patched versions?

The changes introduced to address this issue are related to enforcing that the FetchX509SVID RPC of SPIRE Server’s Legacy Node API only issues X.509 certificates with SPIFFE IDs that the agent is authorized to distribute.

The patched version also includes a back-ported change that improves the handling of file descriptors related to workload attestation in SPIRE Agent.

There are no changes in the expected behavior of SPIRE.

Should I upgrade SPIRE?

All SPIRE users running affected versions are advised to upgrade to the corresponding patched version.

Workarounds

No workarounds have been identified for this vulnerability.

References

@azdagron azdagron published to spiffe/spire Mar 4, 2021
Reviewed May 21, 2021
Published to the GitHub Advisory Database May 21, 2021
Last updated Oct 2, 2023

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS score

0.063%
(29th percentile)

CVE ID

CVE-2021-27098

GHSA ID

GHSA-h746-rm5q-8mgq

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.