CVE-2024-42480 – Kamaji versions 1.0.0 and earlier have an RBAC ... (How to Fix)

Q: What is the severity of CVE-2024-42480?

CVE-2024-42480 has a CVSS score of 8.1 (HIGH). Kamaji versions 1.0.0 and earlier have an RBAC misconfiguration that allows Kubernetes control plane API servers to access and manipulate data from other control planes. This affects all deployments using vulnerable Kamaji versions for hosted Kubernetes control planes. The vulnerability stems from overly permissive etcd role definitions.

📋 TL;DR

Kamaji versions 1.0.0 and earlier have an RBAC misconfiguration that allows Kubernetes control plane API servers to access and manipulate data from other control planes. This affects all deployments using vulnerable Kamaji versions for hosted Kubernetes control planes. The vulnerability stems from overly permissive etcd role definitions.

💻 Affected Systems

Products:

Kamaji (Hosted Control Plane Manager for Kubernetes)

Versions: 1.0.0 and earlier

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using the default RBAC configuration are vulnerable. The vulnerability exists in the etcd role definitions.

📦 What is this software?

Kamaji by Clastix

View all CVEs affecting Kamaji →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Kubernetes control planes managed by Kamaji, allowing attackers to read, modify, or delete sensitive cluster data across multiple tenants.

🟠

Likely Case

Unauthorized cross-tenant data access between control planes, potentially exposing sensitive configuration, secrets, or cluster state information.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, though the vulnerability still exists at the RBAC level.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to a control plane API server but leverages built-in RBAC permissions. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: edge-24.8.2

Vendor Advisory: https://github.com/clastix/kamaji/security/advisories/GHSA-6r4j-4rjc-8vw5

Restart Required: Yes

Instructions:

1. Update Kamaji to version edge-24.8.2 or later. 2. Restart all Kamaji components. 3. Verify RBAC configurations are properly scoped.

🔧 Temporary Workarounds

Manual RBAC Correction

linux

Manually adjust etcd role definitions to use properly scoped resource names instead of open ranges

kubectl edit clusterrole kamaji-etcd-role
kubectl edit clusterrole kamaji-etcd-lease-role

🧯 If You Can't Patch

Implement strict network segmentation between control plane etcd instances
Apply additional layer of authentication/authorization between control planes

🔍 How to Verify

Check if Vulnerable:

Check Kamaji version and review etcd role definitions for open range patterns in RBAC rules

Check Version:

kubectl get deployment -n kamaji-system kamaji-controller-manager -o jsonpath='{.spec.template.spec.containers[0].image}'

Verify Fix Applied:

Verify Kamaji version is edge-24.8.2+ and etcd roles use properly scoped resource names

📡 Detection & Monitoring

Log Indicators:

Unauthorized etcd access attempts across control plane boundaries
Unexpected etcd operations from non-owner control planes

Network Indicators:

Cross-control-plane etcd traffic that shouldn't exist
Unexpected etcd port connections between control planes

SIEM Query:

source="etcd" AND (operation="PUT" OR operation="DELETE" OR operation="GET") AND NOT dest_control_plane=source_control_plane

📊 Metadata

CVE ID: CVE-2024-42480

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-284

Published: August 12, 2024

Last Updated: August 16, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42480, you might also want to check these: