CVE-2024-45054: 
vulnerability analysis and mitigation

Hwameistor, an HA local storage system for cloud-native stateful workloads, was found to contain a critical security vulnerability (CVE-2024-45054) in versions up to 0.14.5. The vulnerability stems from excessive permissions granted in the ClusterRole configuration, where a ClusterRole has verbs of resources. This vulnerability was discovered and reported through multiple channels, including GitHub issues and direct mail reports (GitHub Issues, GitHub Issues).

The vulnerability exists in the ClusterRole configuration where hwameistor-role was granted unrestricted permissions ([] ) to perform any operations on all resources in the cluster. This does not comply with the principle of least privilege. The CVSS v3.1 base score is 2.8 (LOW) with vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N, indicating a local attack vector with low attack complexity, requiring high privileges and user interaction (NVD).

If exploited, a malicious user with access to a worker node containing hwameistor's deployment can abuse these excessive permissions to perform unauthorized actions across the entire cluster. This could lead to cluster-level privilege escalation, allowing the attacker to control the entire Kubernetes cluster. The attacker could potentially list confidential information, create privileged containers, and gain full administrative access (GitHub Advisory).

The vulnerability has been patched in version 0.14.6. Users are advised to upgrade to this version. For those unable to upgrade immediately, a workaround is available by updating and limiting the ClusterRole using security-role. Additional mitigation strategies include carefully evaluating required permissions, using more granular RBAC rules, and isolating applications into different namespaces (GitHub Advisory).