Juju Controller CloudSpec API Unauthorized Credential Exposure
Unauthenticated credential disclosure in Juju CloudSpec API allows any authenticated controller user to retrieve cloud bootstrap credentials, bypassing intended role-based access controls. This PoC demonstrates privilege escalation through API permission misconfiguration affecting multiple recent versions.
CVE References
Affected
Vulnerability Description: This is an authorization bypass vulnerability in the CloudSpec method of Juju's Controller facade. The vulnerability stems from insufficient permission checks on a sensitive API endpoint—cloud credentials used during controller bootstrap are exposed to any user with basic controller login privileges, rather than being restricted to superusers or model administrators. The root cause is a missing or misconfigured authorization gate that should validate elevated privileges before returning confidential credential material.
PoC Significance: This proof-of-concept demonstrates that the CloudSpec API endpoint is reachable by low-privilege authenticated clients, proving the authorization control is either absent or ineffective. The PoC establishes a reproducible path to credential exfiltration with minimal preconditions: an attacker needs only valid login credentials to any Juju controller and knowledge of the controller model UUID (often discoverable through enumeration). This is a reliable, high-impact demonstration suitable for patch validation.
Detection Guidance: Monitor CloudSpec method calls in controller audit logs and API access patterns. Look for: (1) CloudSpec API calls from non-administrative user contexts, (2) repeated or systematic queries to CloudSpec from single or multiple sources, (3) API calls followed by lateral movement or credential usage on cloud infrastructure, (4) connections to port 17070 from unexpected internal/external networks. Implement alerting for any CloudSpec invocation by non-superuser principals. Correlate authentication logs with API logs to identify privilege levels of callers.
Mitigation Steps: Immediate workaround: restrict ingress to controller API port 17070 using firewall rules, VPCs, or Kubernetes network policies—whitelist only required Juju CLI clients, libjuju applications, and JAAS services. For permanent remediation, upgrade to patched versions (patches currently unavailable; monitor Juju releases). In code, validate that CloudSpec callers possess superuser or model-admin roles before returning credential fields; expose only non-confidential data (endpoints, regions) to standard users. Implement request-level authorization checks before credential serialization.
Risk Assessment: Likelihood of exploitation in wild is high to critical—credential exposure provides direct access to underlying cloud infrastructure (AWS, GCP, Azure, OpenStack accounts), enabling infrastructure hijacking, data exfiltration, or resource manipulation. Threat actors with insider access or compromised user credentials can escalate to cloud-level control. Organizations running multi-tenant or shared Juju controllers face severe blast radius. Public disclosure and lack of available patches increase urgency.
Sources