Etcd Server - Unauthenticated Access

What is "Etcd Server - Unauthenticated Access?"

The "Etcd Server - Unauthenticated Access" module is designed to detect a vulnerability in a Kubernetes etcd server. Etcd is a distributed key-value store that stores cluster secrets and configuration files. This module specifically targets the issue of anonymous access, which allows unauthorized users to access the data stored in etcd without providing any authentication credentials.

This vulnerability is considered high severity, as it can lead to unauthorized access to sensitive information and potential data breaches.

This module was authored by sharath and pussycat0x.

Impact

The impact of the "Etcd Server - Unauthenticated Access" vulnerability is that it exposes sensitive data stored in the etcd server to unauthorized users. This can include cluster secrets, configuration files, and other sensitive information. Attackers can exploit this vulnerability to gain unauthorized access to the Kubernetes cluster and potentially compromise the entire system.

How the module works?

The "Etcd Server - Unauthenticated Access" module works by sending HTTP requests to the target etcd server and checking for specific conditions that indicate the presence of the vulnerability. The module uses the following matching conditions:

- The response body must contain the words "\"node\":" and "\"key\":". - The response headers must include the word "application/json". - The HTTP response status code must be 200.

If all of these conditions are met, the module reports the vulnerability.

Here is an example of an HTTP request that the module sends:

GET /v2/keys/

The module checks the response of this request against the matching conditions to determine if the vulnerability exists.

For more information, you can refer to the following resource: https://www.optiv.com/insights/source-zero/blog/kubernetes