OpenCost ServiceKey Endpoint Unauthorized Credential Overwrite/Injection Vulnerability
OpenCost contains an unauthenticated file write vulnerability, tracked as GHSA-wmj8-9953-vff5, in its `/serviceKey` endpoint that allows remote attackers to overwrite the GCP service account key file (`key.json`) without any authentication or input validation, leading to service disruption, credential theft, and potential privilege escalation within Kubernetes clusters or GCP environments.
OpenCost, an open-source project for Kubernetes cost monitoring, is affected by an unauthenticated file write vulnerability (GHSA-wmj8-9953-vff5) in its /serviceKey endpoint. This flaw permits remote attackers to overwrite the key.json file, which typically stores Google Cloud Platform (GCP) service account credentials, without any form of authentication or input validation. The vulnerability resides within the AddServiceKey function in pkg/costmodel/router.go, where user-supplied content from a POST request's key parameter is directly written to the file system. This allows attackers to inject invalid data, causing service disruption by breaking GCP integrations, or to replace legitimate credentials with attacker-controlled ones, facilitating credential theft and potential privilege escalation within the targeted Kubernetes cluster or associated GCP environment. Additionally, an overly permissive CORS header (Access-Control-Allow-Origin: *) in the affected endpoint further enables cross-origin attacks if the OpenCost instance is exposed to a web browser. All versions of OpenCost up to and including the latest release are affected.
Attack Chain
- An attacker identifies a network-accessible OpenCost instance running a vulnerable version. This could be through a public ingress, NodePort exposure, or internal network access.
- The attacker crafts an HTTP POST request targeting the
/serviceKeyendpoint of the OpenCost service (e.g.,http://opencost.opencost.svc.cluster.local:9003/serviceKeyorhttp://localhost:9003/serviceKey). - The request includes a
keyparameter within the request body, containing malicious data such as malformed JSON, an empty string, or attacker-controlled valid GCP service account credentials. - The vulnerable
AddServiceKeyfunction in OpenCost'spkg/costmodel/router.goreceives the unauthenticated request. - Lacking any authentication or input validation, OpenCost extracts the value from the
keyparameter. - The extracted content is directly written to the
key.jsonfile located in theCONFIG_PATHdirectory (which defaults to/var/configs). - The existing
key.jsonfile is overwritten with the attacker-supplied malicious content, compromising the integrity or confidentiality of the GCP service account key. - Subsequent attempts by OpenCost to interact with GCP APIs will either fail due to invalid credentials, causing service disruption, or connect to an attacker-controlled GCP project, enabling data exfiltration or unauthorized actions.
Impact
The unauthorized file write vulnerability in OpenCost can lead to severe consequences across multiple dimensions. If an attacker injects invalid JSON or malformed credentials into key.json, OpenCost's ability to communicate with the GCP Billing API will cease, resulting in a disruption of cost monitoring and FinOps processes. This directly impacts an organization's ability to track and manage cloud expenditures. More critically, an attacker can inject their own GCP service account credentials, leading to sensitive data leakage. This includes the organization's cloud resource usage patterns, detailed cost breakdowns per namespace, and overall business intelligence regarding infrastructure scale and technology adoption. Such information could be highly valuable to competitors or for reconnaissance in future attacks. While the attacker cannot control the file path or name, the ability to fully control the key.json content without authentication poses a significant risk. For improperly exposed instances, the permissive CORS configuration enables cross-origin attacks, allowing malicious websites to initiate attacks from a victim's browser without their awareness.
Recommendation
- Deploy the Sigma rule
Detect OpenCost ServiceKey Unauthorized File Write Attemptto your SIEM to alert on suspicious unauthenticated POST requests to the/serviceKeyendpoint. - Monitor
webserverlogs for HTTP POST requests directed at the/serviceKeyendpoint, especially those originating from unexpected IP addresses or lacking proper authentication headers. - Restrict network access to the OpenCost service endpoint
/serviceKeythrough firewall rules, network policies, or API gateways to prevent unauthenticated external access. - If possible, implement an authentication layer (e.g., API key, OAuth, OIDC) for the
/serviceKeyendpoint, as recommended by the OpenCost maintainers' remediation guidance. - Ensure strong input validation is applied to the
keyparameter to verify the integrity and format of any submitted GCP service account keys. - Review and restrict the
Access-Control-Allow-Originheader in your web server or ingress configuration for OpenCost to only trusted domains, preventing cross-origin attacks.
Detection coverage 1
Detect OpenCost ServiceKey Unauthorized File Write Attempt
highDetects exploitation of OpenCost unauthorized file write vulnerability (GHSA-wmj8-9953-vff5) via unauthenticated HTTP POST requests to the /serviceKey endpoint. This indicates an attempt to overwrite the GCP service account key file.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
2
url
| Type | Value |
|---|---|
| url | http://opencost.opencost.svc.cluster.local:9003/serviceKey |
| url | http://localhost:9003/serviceKey |