CVE-2024-43403: 
vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-43403) has been discovered in Kanister, a data protection workflow management tool. The vulnerability was identified by Nanzi Yang, a PostDoc at UMN, and affects versions prior to 0.112.0. The issue stems from the default-kanister-operator deployment being bound with a Kubernetes ClusterRole called 'edit' via ClusterRoleBinding, which grants extensive permissions that could be exploited for privilege escalation (GitHub Advisory).

The vulnerability centers around the default-kanister-operator deployment's association with the 'edit' ClusterRole, which provides extensive permissions including create/patch/update verbs for daemonset resources, create verb for serviceaccount/token resources, and impersonate verb for serviceaccounts resources. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature (NVD).

The vulnerability's exploitation could lead to complete cluster compromise through multiple attack vectors. An attacker could create or modify daemonset Pods to mount high-privilege service accounts, generate new service account tokens with elevated privileges, or impersonate high-privilege service accounts to gain cluster-wide administrative access. This effectively enables full control over the Kubernetes environment, allowing the creation, modification, or deletion of critical resources (Security Online).

The vulnerability has been patched in Kanister version 0.112.0. Users can also mitigate the risk by setting the rbac.create flag to false in the Kanister helm chart and creating custom RBAC rules with limited permissions. Additionally, service account configurations can be customized via helm to restrict access scope to specific namespaces (GitHub Advisory).