logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-q4pp-j36h-3gqg basti-cdk

Package

Manager: npm
Name: basti-cdk
Vulnerable Version: >=0 <1.0.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Minimal `basti` IAM Policy Allows Shell Access ### Summary The provided Minimal IAM Policy for `bastic connect` does not include `ssm:SessionDocumentAccessCheck`. This results in the ability to get a shell session on the bastion, not just the intended access for Port Forwarding. ### Details `basti connect` is designed to "securely connect to your RDS/Aurora/Elasticache/EC2 instances", using a bastion instance "with [AWS Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html) port forwarding capability to make the target available on your localhost." The [Minimal IAM Policy](https://github.com/BohdanPetryshyn/basti#minimal-iam-permissions) allows port forwarding via the following statement: ``` { "Effect": "Allow", "Action": "ssm:StartSession", "Resource": [ "arn:aws:ssm:*:*:document/AWS-StartPortForwardingSessionToRemoteHost", "arn:aws:ec2:<your-region>:<your-account-id>:instance/<your-basti-instance-id>" ] } ``` This statement does not include the following condition: ``` "Condition": { "BoolIfExists": { "ssm:SessionDocumentAccessCheck": "true" } } ``` As a result, the `basti connect` minimal policy is logically identical to: ``` { "Effect": "Allow", "Action": "ssm:StartSession", "Resource": [ "arn:aws:ssm:*:*:document/AWS-StartPortForwardingSessionToRemoteHost", "arn:aws:ssm:*:*:document/SSM-SessionManagerRunShell", "arn:aws:ec2:<your-region>:<your-account-id>:instance/<your-basti-instance-id>" ] } ``` A `basti` admin would expect users under the minimal policy to be able to port forward. However, they could also get a shell on the bastion. For more details on this footgun, see: https://ramimac.me/ssm-iam ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ ### Impact Impact would depend on configuration/hardening of the bastion. I've seen examples where bastions have credentials to downstream systems in configuration or memory that would be exposed.

Metadata

Created: 2023-08-24T12:53:06Z
Modified: 2023-08-24T12:53:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q4pp-j36h-3gqg/GHSA-q4pp-j36h-3gqg.json
CWE IDs: []
Alternative ID: N/A
Finding: F039
Auto approve: 1