Manage ClusterIssuers (cert-manager.io)
Spoofing
Critical
Overview
| Field | Value |
|---|---|
| ID | 1062 |
| Name | Manage ClusterIssuers (cert-manager.io) |
| Risk Category | Spoofing |
| Risk Level | Critical |
| Role Type | ClusterRole |
| API Groups | cert-manager.io |
| Resources | clusterissuers |
| Verbs | create, update, patch, delete |
| Tags | CertificateManagement ElevationOfPrivilege Spoofing Tampering |
Description
Allows managing cert-manager ClusterIssuers, which are responsible for signing certificate requests for the entire cluster. Control over ClusterIssuers can enable an attacker to issue arbitrary certificates, potentially for privileged identities or domains, leading to spoofing, tampering, and privilege escalation.
Abuse Scenarios
- Create a new ClusterIssuer that can sign arbitrary certificates.
kubectl create -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: malicious-ca
spec:
selfSigned: {}
EOF
# Example: kubectl create -f - <<EOF ... EOF
- Delete a critical ClusterIssuer, preventing certificate issuance.
kubectl delete clusterissuer <clusterissuer-name>
# Example: kubectl delete clusterissuer letsencrypt-prod