etcd: Nested etcd transactions bypass RBAC authorization checks

Impact

What kind of vulnerability is it? Who is impacted?

An authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store.

Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.

Patches

Has the problem been patched? What versions should users upgrade to?

This vulnerability is patched in the following versions:

• etcd 3.6.9
• etcd 3.5.28
• etcd 3.4.42

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

If upgrading is not immediately possible, reduce exposure by treating the affected
RPCs as unauthenticated in practice.

• restrict network access to etcd server ports so only trusted components can connect
• require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate
  distribution

Reporters

Our community helps keep etcd secure

SIG-Etcd thanks community members Luke Francis and Battulga Byambaa for reporting this vulnerability.