Executive Summary

The vulnerability in RustFS arises from a flawed implementation of the `deny_only` short-circuit logic in its IAM policy evaluation. Specifically, when `deny_only` is true and no explicit Deny is found, the system incorrectly allows access by bypassing all Allow checks. This flaw occurs during service account creation, allowing a restricted service account or STS credential to create a new unrestricted service account that inherits the full privileges of the parent, including root-level access. This enables privilege escalation and bypass of session or inline policy restrictions. [1]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows privilege escalation and unauthorized access to all S3, Admin, and KMS operations by enabling restricted service accounts to create unrestricted accounts with full privileges, including root access. Such unauthorized access and privilege escalation can lead to breaches of confidentiality and integrity of sensitive data, which may result in non-compliance with data protection standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal and sensitive information. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any holder of a restricted service account or STS credential to mint an unrestricted service account with full parent-level privileges, including root access. This compromises the confidentiality and integrity of the system by enabling unauthorized access to all S3, Admin, and KMS operations, effectively allowing privilege escalation and bypassing policy restrictions. [1]

Useful 0 Not Useful 0

Detection Guidance

Detection can be performed by attempting to reproduce the privilege escalation exploit as demonstrated in the proof-of-concept (PoC). This involves using tools such as awscli, awscurl, and jq against a local RustFS instance to test if a restricted service account can create an unrestricted child service account and access resources beyond its policy. The PoC steps include cleaning up test accounts and buckets, creating buckets and seeding objects, defining restricted IAM policies, creating restricted service accounts, and then attempting to create child service accounts without policies to verify unauthorized access. Specific commands would involve awscli or awscurl commands to create service accounts, list buckets, and access objects as shown in the PoC. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade RustFS to version 1.0.0-alpha.79 or later, where the vulnerability has been fixed. This version corrects the flawed deny_only short-circuit logic in the IAM policy evaluation, preventing restricted service accounts from self-issuing unrestricted service accounts and thereby stopping privilege escalation. [1]

Useful 0 Not Useful 0