Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2024/VULN445 _____________________________________________________________________ DATE : 28/10/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Rancher versions prior to 2.7.16, 2.8.9, 2.9.3. ===================================================================== https://github.com/rancher/rancher/security/advisories/GHSA-h99m-6755-rgwc https://github.com/rancher/rancher/security/advisories/GHSA-xj7w-r753-vj8v https://github.com/rancher/rancher/security/advisories/GHSA-7h8m-pvw3-5gh4 _____________________________________________________________________ Rancher Remote Code Execution via Cluster/Node Drivers Critical samjustus published GHSA-h99m-6755-rgwc Oct 25, 2024 Package github.com/rancher/rancher (Go) Affected versions >=2.7.0, <2.7.16 >=2.8.0, <2.8.9 >=2.9.0, <2.9.3 Patched versions 2.7.16 2.8.9 2.9.3 Description Impact A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the chroot jail and gain root access to the Rancher container itself. In production environments, further privilege escalation is possible based on living off the land within the Rancher container itself. For the test and development environments, based on a –privileged Docker container, it is possible to escape the Docker container and gain execution access on the host system. This happens because: During startup, Rancher appends the /opt/drivers/management-state/bin directory to the PATH environment variable. In Rancher, the binaries /usr/bin/rancher-machine, /usr/bin/helm_v3, and /usr/bin/kustomize are assigned a UID of 1001 and a GID of 127 instead of being owned by the root user. Rancher employs a jail mechanism to isolate the execution of node drivers from the main process. However, the drivers are executed with excessive permissions. During the registration of new node drivers, its binary is executed with the same user as the parent process, which could enable an attacker to gain elevated privileges by registering a malicious driver. Lack of validation on the driver file type, which allows symbolic links to be used. Please consult the associated MITRE ATT&CK - Technique - Privilege Escalation and MITRE ATT&CK - Technique - Execution for further information about this category of attack. Since they run at a privileged level, it is recommended to use trusted drivers only. Patches The fix involves some key areas with the following changes: Fixing the PATH environment variable: Remove the step that appends /opt/drivers/management-state/bin to the PATH environment variable. Binaries permissions: Correct the permission of the binaries /usr/bin/rancher-machine, /usr/bin/helm_v3, and /usr/bin/kustomize so that they are owned by the root user. Improving Rancher jail security mechanism: A new group jail-accessors has been created, and the rancher user has been added to this group. The jail-accessors group is granted read and execute permissions for the directories /var/lib/rancher, /var/lib/cattle, and /usr/local/bin. The jail mechanism has been enhanced to execute commands using the non-root rancher user and the jail-accessors group. Additionally, a new setting, UnprivilegedJailUser, has been introduced to manage this behavior, allowing users to opt-out if they need to run drivers in a more privileged context. Limit the devices copied to the jail directory to a minimal set. Fixing node driver registration: The NewPlugin(driver) function in the rancher/machine module has been updated to allow setting the UID and GID for starting the plugin server. If the environment variables MACHINE_PLUGIN_UID and MACHINE_PLUGIN_GID are set, their values will be used to configure the user credentials for launching the plugin server. Rancher now sets these environment variables with a non-root UID and GID before invoking the NewPlugin(driver) function and then unsets them after retrieving the creation flags. Improvements on driver package: The driver package has been revised to verify that the downloaded driver binary is a regular file. The driver package has been revised to verify that the target file in the downloaded tar file is a regular file. The driver package now executes the downloaded driver binary within a jail, with a default timeout of 5 seconds. Other improvements: The helm package has been updated to ensure appropriate permissions are set on the generated kubeconfig file. The nodeConfig package has been updated to ensure proper permissions are applied when extracting the node configuration. Patched versions include releases 2.7.16, 2.8.9 and 2.9.3. Workarounds If you can't upgrade to a fixed version, please make sure that: Drivers are only executed from trusted sources. The use of Admins/Restricted Admins is limited to trusted users. References If you have any questions or comments about this advisory: Reach out to the SUSE Rancher Security team for security related inquiries. Open an issue in the Rancher repository. Verify with our support matrix and product support lifecycle. Severity Critical 9.1/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required High User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE ID CVE-2024-22036 Weaknesses CWE-269 _____________________________________________________________________ Exposure of vSphere's CPI and CSI credentials Critical samjustus published GHSA-xj7w-r753-vj8v Oct 25, 2024 Package github.com/rancher/rancher (Go) Affected versions >=2.9.0 >=2.8.0 >=2.7 Patched versions <2.9.3 <2.8.9 Description Impact A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments. The exposed passwords were accessible in the following objects: Can be accessed by users that are cluster members of the provisioned clusters: When provisioning a new cluster with the vSphere cloud provider through Rancher's UI (user interface), Cluster Templates and Terraform on the object provisioning.cattle.io in spec.rkeConfig.chartValues.rancher-vsphere-cpi and spec.rkeConfig.chartValues.rancher-vsphere-csi. On the object rke.cattle.io.rkecontrolplane in spec.chartValues.rancher-vsphere-cpi and spec.chartValues.rancher-vsphere-csi. Can be accessed by users with privileged access to the clusters' infrastructure (host OS): Inside the plan files in the provisioned downstream clusters' filesystems. Note: if you believe that the vSphere credentials might have been accessed by unauthorized users, it's highly recommended to change them, after updating Rancher to a patched version. Please consult the associated MITRE ATT&CK - Technique - Credential Access for further information about this category of attack. Patches Patched versions include Rancher releases 2.8.9 and 2.9.3. After updating your environment to one of the patched Rancher's versions, it's mandatory to execute this script that provides an automated way to mitigate any vulnerable leftover vSphere clusters' credentials within Rancher's local cluster. This script doesn't need to be executed in case you are installing a fresh and new environment. The script will fetch all objects in Rancher's local cluster, loops through them, if the affected vSphere charts are present, then it extracts the username and password parameters into a secret in the fleet-default namespace for both with the appropriate annotation to synchronize them to the downstream clusters. Finally, it updates the cluster's chartValues to reference those secrets rather than existing plaintext values. The script confirms on write operations, as well as backs up configurations of the cluster objects before operating so rolling back is simple. To run the script, fetch the kubeconfig for your local cluster and run with KUBECONFIG=/path/to/kubeconfig.yml bash migrate.sh. The script is idempotent and can be run multiple times safely if you want to validate just one at a time. Notes: The feature flag provisioningprebootstrap must be enabled after updating to one of the patched versions. This feature flag is also mandatory when installing a new cluster. Rancher 2.7 release line is not receiving a backport security patch for this vulnerability. For users running Rancher 2.7 with vSphere provisioning and that are concerned with this security issue, the recommendation is to update Rancher to one of the patched versions by following the standard update procedure based on the 2.7 version that is being used. Refer to the release notes for the proper update process for 2.8.9 and 2.9.3. Workarounds Besides only granting access to Rancher to trusted users and not allowing direct access to untrusted users to the clusters' infrastructure, there is no direct workaround for this security issue, except updating Rancher to one of the patched versions. References If you have any questions or comments about this advisory: Reach out to the SUSE Rancher Security team for security related inquiries. Open an issue in the Rancher repository. Verify with our support matrix and product support lifecycle. Severity Critical 9.1/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Changed Confidentiality High Integrity Low Availability Low CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L CVE ID CVE-2022-45157 Weaknesses CWE-522 _____________________________________________________________________ Privilege escalation in Windows nodes due to Insecure Access Control Lists Critical samjustus published GHSA-7h8m-pvw3-5gh4 Oct 25, 2024 Package github.com/rancher/rancher (Go) Affected versions >=2.7 >=2.8.0, <2.8.9 >=2.9.0, <2.9.3 Patched versions 2.8.9 2.9.3 Description Impact A vulnerability has been identified whereby Rancher Manager deployments containing Windows nodes have weak Access Control Lists (ACL), allowing BUILTIN\Users or NT AUTHORITY\Authenticated Users to view or edit sensitive files which could lead to privilege escalation. The affected files include binaries, scripts, configuration and log files: C:\etc\rancher\wins\config C:\var\lib\rancher\agent\rancher2_connection_info.json C:\etc\rancher\rke2\config.yaml.d\50-rancher.yaml C:\var\lib\rancher\agent\applied\*-*-applied.plan C:\usr\local\bin\rke2 C:\var\lib\rancher\capr\idempotence\idempotent.sh RKE2 nodes expand the list to include the files below: C:\etc\rancher\node\password C:\var\lib\rancher\rke2\agent\logs\kubelet.log C:\var\lib\rancher\rke2\data\v1.**.**-rke2r*-windows-amd64-*\bin\* C:\var\lib\rancher\rke2\bin\* This vulnerability is exclusive to deployments that contain Windows nodes. Linux-only environments are not affected by it. Please consult the associated MITRE ATT&CK - Technique - Exploitation for Privilege Escalation for further information about this category of attack. Patches Patched versions include Rancher Manager 2.8.9 and 2.9.3. For RKE2 Windows nodes, please refer to its specific advisory. No patches are available for 2.7, therefore users are urged to upgrade to newer minor versions or to apply the manual workaround below. Workarounds Users are advised to upgrade to a patched version of Rancher Manager. When that is not possible, users can enforce stricter ACLs for all sensitive files affected by this Security Advisory running this PowerShell script as an Administrator on each node. References CVE-2023-32197 RKE2’s GHSA-x7xj-jvwp-97rv For more information If you have any questions or comments about this advisory: Reach out to the SUSE Rancher Security team for security related inquiries. Open an issue in the Rancher repository. Verify with our support matrix and product support lifecycle. Severity Critical 9.1/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required High User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE ID CVE-2023-32197 Weaknesses CWE-269 CWE-732 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================