Incorrect Permission Assignment for Critical Resource Affecting github.com/talos-systems/talos/internal/app/trustd/internal/reg package, versions <1.2.2

github.com/talos-systems/talos/internal/app/trustd/internal/reg is a modern OS for running Kubernetes: secure, immutable, and minimal. Talos is fully open source, production-ready, and supported by the people at Sidero Labs All system management is done via an API - there is no shell or interactive console.

Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource when a misconfigured Kubernetes environment may allow workloads to access the join token of the worker node. The vulnerability exists due to improper validation of the request while signing a worker node CSR (certificate signing request). Talos control plane node might issue a Talos API certificate, which allows full access to Talos API on a control plane node. Accessing Talos API with full-level access on a control plane node might reveal sensitive information which allows full-level access to the cluster (Kubernetes and Talos PKI, etc.).

Note:

Misconfigurations that may allow the machine configuration to be accessed on a worker node by the Kubernetes workload are:

• Allowing a hostPath mount to mount the machine config directly from the host filesystem (hostPath mounts should not be allowed for untrusted workloads, and are disabled by default in recent versions of Talos.)
• Reading machine configuration from a cloud metadata server from Kubernetes pods with host networking (on cloud platforms, when machine config is stored in the cloud metadata server, and the cloud metadata server doesn't provide enough protection to prevent access from non-host workloads)

• GitHub Commit
• GitHub Release