Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN556 _____________________________________________________________________ DATE : 28/08/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Neuvector versions prior to 5.4.6. ===================================================================== https://github.com/neuvector/neuvector/security/advisories/GHSA-8pxw-9c75-6w56 https://github.com/neuvector/neuvector/security/advisories/GHSA-w54x-xfxg-4gxq https://github.com/neuvector/neuvector/security/advisories/GHSA-8ff6-pc43-jwv3 _____________________________________________________________________ Admin account has insecure default password Critical BinX-Suse published GHSA-8pxw-9c75-6w56 Aug 26, 2025 Package github.com/neuvector/neuvector (Go) Affected versions >= 5.0.0, < 5.4.6 Patched versions 5.4.6 Description Impact A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in admin account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the default credentials to obtain an authentication token. This token can then be used to perform any operation via NeuVector APIs. In earlier versions, NeuVector supports setting the default (bootstrap) password for the admin account using a Kubernetes Secret named neuvector-bootstrap-secret. This Secret must contain a key named bootstrapPassword. However, if NeuVector fails to retrieve this value, it falls back to the fixed default password. Patches This issue is resolved in NeuVector version 5.4.6 and later. For rolling upgrades, it's strongly recommended to change the default admin password to a secure one. Starting from version 5.4.6, NeuVector introduces additional Kubernetes RBAC permissions to ensure the bootstrap password can be securely managed via Secrets: kubectl create role neuvector-binding-secret-controller \ --verb=create,patch,update --resource=secrets -n {neuvector} kubectl create rolebinding neuvector-binding-secret-controller \ --role=neuvector-binding-secret-controller \ --serviceaccount=neuvector:controller \ --serviceaccount=neuvector:default -n {neuvector} These RBAC roles are automatically applied when deploying via Helm. If deploying or upgrading manually, you must create these roles before starting NeuVector. NOTE: If these roles are not present, the NeuVector controller (from version 5.4.6 onward) does not start. Behavior in Patched Versions Upgrades: NeuVector does not reset any existing account passwords. It's strongly recommended to change the default admin password to a secure one. New deployments: If bootstrapPassword is not set in the `neuvector-bootstrap-secret, NeuVector generates a secure password and stores it in the same Secret. On first login, the default admin must retrieve the password using: kubectl get secret -n {neuvector} neuvector-bootstrap-secret \ -o go-template='{{ .data.bootstrapPassword | base64decode }}{{ "\n" }}' The password must be changed during the first login via the NeuVector UI. NOTE: If the default admin password is set using a Kubernetes ConfigMap or a persistent backup (not a fixed string), this value takes precedence over the Secret-based mechanism. Workarounds For existing vulnerable versions, log in to the NeuVector UI immediately after deployment and update the default admin password. References If you have any questions or comments about this advisory: Reach out to the SUSE Rancher Security team for security related inquiries. Open an issue in the NeuVector repository. Verify with our support matrix and product support lifecycle. Severity Critical 9.8/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE ID CVE-2025-8077 Weaknesses No CWEs _____________________________________________________________________ Process with sensitive arguments lead to leakage Moderate BinX-Suse published GHSA-w54x-xfxg-4gxq Aug 26, 2025 Package github.com/neuvector/neuvector (Go) Affected versions >= 5.0.0, < 5.4.6 Patched versions 5.4.6 Description Impact When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation. For example, java -cp /app ... Djavax.net.ssl.trustStorePassword= The command with the password appears in the NeuVector security event. To prevent this, NeuVector uses the following default regular expression to detect and redact sensitive data from process commands: (?i)(password|passwd|token) Also, you can define custom patterns to redact by creating a Kubernetes ConfigMap. For example: kubectl create configmap neuvector-custom-rules --from-file=secret-patterns.yaml -n neuvector Sample secret-patterns.yaml content: Pattern_list: - (?i)(pawd|pword) - (?i)(secret) NeuVector uses the default and custom regex to decide whether the process command in a security event should be redacted. Note: If numerous regular expression (regex) patterns are configured in the Kubernetes ConfigMap for extended coverage of sensitive data matching, it can significantly impact performance of NeuVector enforcer, particularly in scenarios involving large inputs or frequent execution. The primary factor contributing to performance issues in regex is backtracking, where the regex engine attempts various matching paths when a pattern doesn't immediately find a match. Patches This issue is fixed in NeuVector version 5.4.6 and later. Workarounds There is no workaround. Upgrade to a patched version of NeuVector as soon as possible. References If you have any questions or comments about this advisory: Reach out to the SUSE Rancher Security team for security related inquiries. Open an issue in the NeuVector repository. Verify with our support matrix and product support lifecycle. Severity Moderate 5.3/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality Low Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE ID CVE-2025-54467 Weaknesses No CWEs _____________________________________________________________________ Insecure password storage vulnerable to rainbow attack Moderate BinX-Suse published GHSA-8ff6-pc43-jwv3 Aug 26, 2025 Package github.com/neuvector/neuvector (Go) Affected versions >= 5.0.0, < 5.4.6 Patched versions 5.4.6 Description Impact NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed). NeuVector generates a cryptographically secure, random 16-character salt and uses it with the PBKDF2 algorithm to create the hash value for the following actions: Creating a user Updating a user’s password Creating an API key Note: After upgrading to NeuVector 5.4.6, users must log in again so that NeuVector can regenerate the password hash. For API keys, you must send at least one request per API key to regenerate its hash value. Patches This issue is fixed in NeuVector version 5.4.6 and later. Workarounds There is no workaround. Upgrade to a patched version of NeuVector as soon as possible. References If you have any questions or comments about this advisory: Reach out to the SUSE Rancher Security team for security related inquiries. Open an issue in the NeuVector repository. Verify with our support matrix and product support lifecycle. Severity Moderate 5.3/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality Low Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE ID CVE-2025-53884 Weaknesses No CWEs ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================