Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN726 _____________________________________________________________________ DATE : 23/10/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Neuvector versions prior to 5.4.7. ===================================================================== https://github.com/neuvector/neuvector/security/advisories/GHSA-c8g6-qrwh-m3vp https://github.com/neuvector/neuvector/security/advisories/GHSA-h773-7gf7-9m2x https://github.com/neuvector/neuvector/security/advisories/GHSA-qqj3-g7mx-5p4w _____________________________________________________________________ Enforcer is vulnerable to Command Injection and Buffer overflow Critical BinX-Suse published GHSA-c8g6-qrwh-m3vp Oct 21, 2025 Package github.com/neuvector/neuvector (Go) Affected versions >=5.3.0, <=5.4.6 Patched versions 5.4.7, 5.3.5 Description Impact A vulnerability was identified in NeuVector, where the enforcer used environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to generate a command to be executed via popen, without first sanitising their values. The entry process of the enforcer container is the monitor process. When the enforcer container stops, the monitor process checks whether the consul subprocess has exited. To perform this check, the monitor process uses the popen function to execute a shell command that determines whether the ports used by the consul subprocess are still active. The values of environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT are used directly to compose shell commands via popen without validation or sanitization. This behavior could allow a malicious user to inject malicious commands through these variables within the enforcer container. In the patched version, the monitor process validates the values of CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to ensure they contain only valid port numbers before invoking the popen command. If validation fails, the monitor process exits immediately, causing the enforcer container to terminate. This prevents the execution of any injected or malicious commands. Patches Patched versions include release v5.4.7 and above. Workarounds There is no workaround for this issue. Users are recommended to upgrade, as soon as possible, to a version of NeuVector that contains the fix. References If you have any questions or comments about this advisory: Reach out to the SUSE Rancher Security team for security related inquiries. Open an issue in the NeuVector repository. Verify with our support matrix and product support lifecycle. Severity Critical 10.0/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE ID CVE-2025-54469 Weaknesses Weakness CWE-20 _____________________________________________________________________ NeuVector is shipping cryptographic material into its binary Moderate BinX-Suse published GHSA-h773-7gf7-9m2x Oct 21, 2025 Package https://github.com/neuvector/neuvector (Go) Affected versions >=5.3.0, <=5.4.6 Patched versions 5.4.7 Description Impact NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data. In the patched version, NeuVector leverages the Kubernetes secret neuvector-store-secret in neuvector namespace to dynamically generate cryptographically secure random keys. This approach removes the reliance on static key values and ensures that encryption keys are managed securely within Kubernetes. During rolling upgrade or restoring from persistent storage, the NeuVector controller checks each encrypted configured field. If a sensitive field in the configuration is found to be encrypted by the default encryption key, it’s decrypted with the default encryption key and then re-encrypted with the new dynamic encryption key. If the NeuVector controller does not have the correct RBAC for accessing the new secret, it writes this error log : Required Kubernetes RBAC for secrets are not found and exits. The device encryption key is rotated every 3 months. For details, please refer to this Rotating Self-Signed Certificate documentation. Patches Patched versions include release v5.4.7 and above. Workarounds There is no workaround for this issue. Users are recommended to upgrade, as soon as possible, to a version of NeuVector that contains the fix. References If you have any questions or comments about this advisory: Reach out to the SUSE Rancher Security team for security related inquiries. Open an issue in the NeuVector repository. Verify with our support matrix and product support lifecycle. Severity Moderate 6.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Unchanged Confidentiality High Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE ID CVE-2025-54471 Weaknesses Weakness CWE-321 _____________________________________________________________________ Telemetry sender is vulnerable to MITM and DoS High BinX-Suse published GHSA-qqj3-g7mx-5p4w Oct 21, 2025 Package https://github.com/neuvector/neuvector (Go) Affected versions >=5.3.0 <=5.4.6 Patched versions 5.3.5 5.4.7 Description Impact This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server at https://upgrades.neuvector-upgrade-responder.livestock.rancher.io. In affected versions, NeuVector does not enforce TLS certificate verification when transmitting anonymous cluster data to the telemetry server. As a result, the communication channel is susceptible to man-in-the-middle (MITM) attacks, where an attacker could intercept or modify the transmitted data. Additionally, NeuVector loads the response of the telemetry server is loaded into memory without size limitation, which makes it vulnerable to a Denial of Service(DoS) attack. The patched version includes the following security improvements: NeuVector now verifies the telemetry server’s TLS certificate chain and hostname during the handshake process. This ensures that all telemetry communications occur over a trusted and verified channel. NeuVector limits the telemetry server’s response to 256 bytes, mitigating the risk of memory exhaustion and DoS attacks. These security enhancements are enabled by default and require no user action. Patches Patched versions include release v5.4.7 and above. Workarounds If you cannot update to a patched version, you can temporarily disable the Report anonymous cluster data, which is enabled by default in NeuVector. To change this setting, go to Settings → Configuration → Report anonymous cluster data in the NeuVector UI. Disabling this option prevents NeuVector from sending telemetry data to the telemetry server, which helps mitigate this vulnerability. References If you have any questions or comments about this advisory: Reach out to the SUSE Rancher Security team for security related inquiries. Open an issue in the NeuVector repository. Verify with our support matrix and product support lifecycle. Severity High 8.6/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality Low Integrity Low Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVE ID CVE-2025-54470 Weaknesses Weakness CWE-295 Weakness CWE-770 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================