Executive Summary
The GCP Authenticator component of Conjur can be misconfigured in a way that may lead to an authentication bypass by a Google Cloud user, resulting in credentials leakage.
Affected Software
The GCP Authenticator component of Conjur Open Source (1.9.0 through 1.13.1 (inclusive)).
Detailed Explanation
Affected versions of Conjur that enable the GCP Authenticator permit configurations that may lead to an authentication bypass.
The GCP Authenticator relies on host annotations, including authn-gcp/instance-name, authn-gcp/project-id, authn-gcp/service-account-id, and authn-gcp/service-account-email, to define the scope of access.
The GCP Authenticator requires just one of these to be set. While the authn-gcp/project-id, authn-gcp/service-accountid, and authn-gcp/service-account-email annotations are unique across the Google Cloud platform, the authn-gcp/instance-name annotation is only unique at the project level.
In situations where the GCP Authenticator was configured only with the authn-gcp/instance-name annotation, an attacker could bypass the authenticator by spoofing the instance name.
Recommendations
CyberArk highly recommends that all customers using the GCP Authenticator in the affected versions:
- Modify defined hosts with a single
authn-gcp/instance-name annotation, by adding at least one more GCP annotation
- Upgrade to version 1.13.2
Note: After upgrading, hosts with a single authn-gcp/instance-name annotation will not be allowed to authenticate
CyberArk also highly recommends that all customers using the affected versions of Conjur upgrade to version 1.13.2, in case they use the GCP Authenticator in the future.
Frequently Asked Questions (FAQ)
- I am using the affected version but did not enable the GCP Authenticator. Is my organization at risk?
No. This vulnerability only puts at risk customers who enabled the GCP Authenticator.
However, it is recommended that you upgrade to version 1.13.2 in case you use the GCP Authenticator in the future.
- I am using the affected version with enabled GCP Authenticator and with multiple annotations for each host. Is my organization at risk?
No. This vulnerability only puts at risk those customers who enabled the GCP Authenticator with only the single authn-gcp/instance-name annotation.
For more information
If you have any questions or comments about this advisory, please email us at security@conjur.org.
Executive Summary
The GCP Authenticator component of Conjur can be misconfigured in a way that may lead to an authentication bypass by a Google Cloud user, resulting in credentials leakage.
Affected Software
The GCP Authenticator component of Conjur Open Source (1.9.0 through 1.13.1 (inclusive)).
Detailed Explanation
Affected versions of Conjur that enable the GCP Authenticator permit configurations that may lead to an authentication bypass.
The GCP Authenticator relies on host annotations, including
authn-gcp/instance-name,authn-gcp/project-id,authn-gcp/service-account-id, andauthn-gcp/service-account-email, to define the scope of access.The GCP Authenticator requires just one of these to be set. While the
authn-gcp/project-id,authn-gcp/service-accountid, andauthn-gcp/service-account-emailannotations are unique across the Google Cloud platform, theauthn-gcp/instance-nameannotation is only unique at the project level.In situations where the GCP Authenticator was configured only with the
authn-gcp/instance-nameannotation, an attacker could bypass the authenticator by spoofing the instance name.Recommendations
CyberArk highly recommends that all customers using the GCP Authenticator in the affected versions:
authn-gcp/instance-nameannotation, by adding at least one more GCP annotationNote: After upgrading, hosts with a single
authn-gcp/instance-nameannotation will not be allowed to authenticateCyberArk also highly recommends that all customers using the affected versions of Conjur upgrade to version 1.13.2, in case they use the GCP Authenticator in the future.
Frequently Asked Questions (FAQ)
No. This vulnerability only puts at risk customers who enabled the GCP Authenticator.
However, it is recommended that you upgrade to version 1.13.2 in case you use the GCP Authenticator in the future.
No. This vulnerability only puts at risk those customers who enabled the GCP Authenticator with only the single
authn-gcp/instance-nameannotation.For more information
If you have any questions or comments about this advisory, please email us at security@conjur.org.