Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wOTc2LWg1MmMtMjZwNs4AAzpQ
Rancher vulnerable to Privilege Escalation via manipulation of Secrets
Impact
A vulnerability has been identified which enables Standard users or above to elevate their permissions to Administrator in the local cluster.
The local cluster means the cluster where Rancher is installed. It is named local inside the list of clusters in the Rancher UI.
Standard users could leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the secret being deleted, but their read-level permissions to the secret being preserved. When this operation was followed-up by other specially crafted commands, it could result in the user gaining access to tokens belonging to service accounts in the local cluster.
Users that have custom global roles which grant create and delete permissions on secrets would also be able to exploit this vulnerability.
Users with audit logs enabled in Rancher can try to identify possible abuses of this issue by going through the logs. To sieve through the data filter by kind: Secret with type: provisioning.cattle.io/cloud-credential, then investigate all log entries that affect that specific resource. A secondary check would be to filter by all operations with Opaque Secrets within the cattle-global-data namespace.
After patching, it is recommended that users review access methods to Rancher (including RBAC policies, tokens, and host-level node access), to ensure that no changes were made to persist access to users who have leveraged this vulnerability.
Patches
Patched versions include releases 2.6.13, 2.7.4 and later versions.
Workarounds
There is no direct mitigation besides updating Rancher to a patched version.
For more information
If you have any questions or comments about this advisory:
- Reach out to the SUSE Rancher Security team for security related inquiries.
- Open an issue in the Rancher repository.
- Verify with our support matrix and product support lifecycle.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wOTc2LWg1MmMtMjZwNs4AAzpQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 11 months ago
Updated: 6 months ago
CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-p976-h52c-26p6, CVE-2023-22647
References:
- https://github.com/rancher/rancher/security/advisories/GHSA-p976-h52c-26p6
- https://nvd.nist.gov/vuln/detail/CVE-2023-22647
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22647
- https://github.com/rancher/rancher/releases/tag/v2.6.13
- https://github.com/rancher/rancher/releases/tag/v2.7.4
- https://github.com/advisories/GHSA-p976-h52c-26p6
Blast Radius: 1.0
Affected Packages
go:rancher/rancher
Affected Version Ranges: >= 2.7.0, < 2.7.4, >= 2.6.0, < 2.6.13Fixed in: 2.7.4, 2.6.13