RustFS IAM deny_only Short-Circuit Privilege Escalation via Service Account Forgery (GHSA-xgr5-qc6w-vcg9)

Key Information Summary Vulnerability Overview Vulnerability Name: RustFS IAM Short-Circuit Allows Privilege Escalation via Service Account Forgery Vulnerability ID: GHSA-xgr5-qc6w-vcg9 Release Date: Two weeks ago Vulnerability Status: Patched Affected Versions: alpha.13 - alpha.78 Patched Version: alpha.79 Severity: Medium Description Summary A short-circuit flaw in RustFS IAM's logic allows restricted service accounts or STS credentials to self-create unrestricted service accounts and inherit full privileges of the parent account. This leads to privilege escalation and bypassing session/inlined policy restrictions. Specific Details Issue and Cause: - When is and no explicit deny entries exist, returns , skipping all allow checks. - The path for creating a service account sets to when the target user equals the caller or its parent. - Service accounts are created by default without a , thus lacking , which, combined with , enables self-operation without any allow declarations. - Ultimately, a restricted service account/STS can create a new service account without policy and gain full rights of the parent account—even root privileges—bypassing original restrictions. Vulnerability Code Location References : Contains the short-circuit logic. : Sets for target users. : Default service account creation without . Vulnerability Demonstration Create Restricted Service Account: With a simple allow policy. Create Child Service Account: Without policy (triggers short-circuit). Child Account Privileges: The child account ( ) successfully lists, reads, and writes objects in S3 buckets outside the restricted policy scope (e.g., reads/writes to ). Demonstration Steps 1. Clean up old service accounts and buckets. 2. Create bucket1, bucket2, and seed files in bucket3. 3. Create restriction policies for bucket1 and bucket2. 4. Create a restricted service account. 5. Create a child service account; this account should not have access to bucket3. 6. Use the child account to access bucket3 and write content: if successful, the vulnerability exists. Impact Assessment Enables bypassing restrictions and performing privileged operations (S3, management services, key management, etc.), posing a high risk to information confidentiality and integrity.

Goal Reached Thanks to every supporter — we hit 100%!

RustFS IAM deny_only Short-Circuit Privilege Escalation via Service Account Forgery (GHSA-xgr5-qc6w-vcg9)

More from this source