▼	URL	Tags
	meissner@suse.de	https://bugzilla.suse.com/show_bug.cgi?id=1205293	Exploit, Issue Tracking

▼	Vendor	Product
	SUSE	Rancher
	SUSE	Rancher

ghsa-7m72-mh5r-6j3r

Vulnerability from github

Published

2023-01-25 19:35

Modified

2023-02-15 22:01

Severity ?

7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

Privilege escalation in project role template binding (PRTB) and -promoted roles

Details

Impact

An issue was discovered in Rancher versions from 2.5.0 up to and including 2.5.16 and from 2.6.0 up to and including 2.6.9, where an authorization logic flaw allows privilege escalation via project role template binding (PRTB) and -promoted roles. This issue is not present in Rancher 2.7 releases.

Note: Consult Rancher documentation for more information about cluster and project roles and KB 000020097 for information about -promoted roles.

This privilege escalation is possible for users with access to the escalate verb on PRTBs (projectroletemplatebindings.management.cattle.io), including users with * verbs on PRTBs (see notes below for more information). These users can escalate permissions for any -promoted resource (see the table below for a full enumeration) in any cluster where they have a PRTB granting such permissions in at least one project in the cluster.

On a default Rancher setup, only the following roles have such permissions:

Project Owner
Manage Project Members

These roles have permissions to affect the following resources:

| Resource | API Group | Affected Rancher version | | - | - | - | | navlinks | ui.cattle.io | 2.6 | | nodes | "" | 2.6 | | persistentvolumes | "" | 2.5, 2.6 | | persistentvolumes | core | 2.5, 2.6 | | storageclasses | storage.k8s.io | 2.5, 2.6 | | apiservices | apiregistration.k8s.io | 2.5, 2.6 | | clusterrepos | catalog.cattle.io | 2.5, 2.6 | | clusters (local only) | management.cattle.io | 2.5, 2.6 |

Notes:

During the calculation of the CVSS score, privileges required was considered as high because, by default, standard user and user-base users in Rancher do not have create, patch and update permissions on roletemplates.
If a role template with access to those objects was already created by another user in the cluster, then this issue can be exploited by users without the mentioned permissions from point 1.

Workarounds

If updating Rancher to a patched version is not possible, then the following workarounds must be observed to mitigate this issue:

Only grant Project Owner and Manage Project Members roles to trusted users.
Minimize the creation of custom roles that contain the escalate, * or write verbs (create, delete, patch, update) on projectroletemplatebindings resource, and only grant such custom roles to trusted users.
Minimize the number of users that have permissions to create, patch and update roletemplates.

Patches

Patched versions include releases 2.5.17 and 2.6.10 and later versions. This issue is not present in Rancher 2.7 releases.

Detection

The following script was developed to list role template bindings that give written access to the affected resources listed above. It is highly recommended to run the script in your environment and review the list of identified roles and role template bindings for possible signs of exploitation of this issue. The script requires jq installed and a kubeconfig with access to Rancher local cluster; it can also be executed in Rancher's kubectl shell.

```shell

!/bin/bash

help=" Usage: bash find_promoted_resource.sh \n \n

Requires: \n - jq installed and on path \n - A kubeconfig pointing at rancher's local cluster (can also run from rancher's kubectl shell) \n \n

Outputs a list of roletemplates and roletemplate bindings which give write access to promoted resources. "

if [[ $1 == "-h" || $1 == "--help" ]] then echo -e $help exit 0 fi

first, get the current roletemplates so that we only issue a get once

kubectl get roletemplates.management.cattle.io -o json >> script_templates.json

find roles which have write access to a promoted resource. Filter on roleTemplates which fulfill all requirements:

Have a project context

Have some rules

Have one/more of the target api groups, or a * in the api groups

Have one/more of the target resources, or a * in the resources

Have a verb that is not read access (i.e. a verb that is not get/list/watch)

roles=$(jq --argjson apiGroups '["", "ui.cattle.io", "core", "storage.k8s.io", "apiregistration.k8s.io", "catalog.cattle.io", "management.cattle.io"]' --argjson resources '["navlinks", "persistentvolumes", "nodes", "storageclasses", "apiservices", "clusterrepos", "clusters"]' --argjson verbs '["get", "list", "watch"]' '.items[] | select(.context=="project" and (.rules | length >= 1)) | select( .rules[] | select( (($apiGroups - .apiGroups | length < 7) or (.apiGroups | index(""))) and (($resources - .resources | length < 7) or (.resources | index(""))) and (.verbs - $verbs | length > 0)) | length >= 1 ) | .metadata.name' script_templates.json | jq -s )

log promoted roles which give direct write access so they can be easily fixed

echo "The following role templates give direct write access to a promoted resource:" echo $roles echo -e ""

find any roles which inherit first-level roles. Mostly a BFS which radiates outward from the known bad roles

old_roles="[]" new_roles="$roles" old_length=$(echo $old_roles | jq 'length') new_length=$(echo $new_roles | jq 'length')

if our last loop found nothing new, it's safe to stop

while [[ $old_length != $new_length ]]; do # set old values to what we currently know about old_roles=$new_roles old_length=$new_length # update new values with anything that inherits a "bad" role we know about new_roles=$(jq --argjson roles "$old_roles" --argjson roleLen "$old_length" '.items[] | .metadata.name as $NAME | select (( $roles | index($NAME)) or ((.roleTemplateNames | length > 0 ) and ($roles - .roleTemplateNames | length < $roleLen))) | .metadata.name ' script_templates.json | jq -s) new_length=$(echo $new_roles | jq 'length') done

roles=$new_roles

log all roles which can give write access, even if it's not first level

echo -e "The following role templates give write access to a promoted resource directly or through inheritance:" echo $roles echo -e ""

kubectl get projectroletemplatebindings.management.cattle.io -A -o json >> script_bindings.json role_template_bindings=$(jq --argjson roleTemplates "$roles" '.items[] | .roleTemplateName as $TemplateName | select($roleTemplates | index($TemplateName)) | .metadata.name' script_bindings.json | jq -s)

since these bindings could be for users or groups, we need to include all fields which could help identify the subject. But they won't all be present, which makes the list look less pretty

echo -e "The following is a list of bindings which give access to promoted resource, with the format of: bindingName, projectName, userName, userPrincipalName, groupName, groupPrincipalName: " echo $(jq --argjson bindings "$role_template_bindings" '.items[] | .metadata.name as $BindingName | select ( $bindings | index($BindingName)) | .metadata.name, .projectName, .userName?, .userPrincipalName?, .groupName?, .groupPrincipalName?' script_bindings.json | jq -s)

unset old_roles unset new_roles unset roles unset role_template_bindings rm script_templates.json rm script_bindings.json ```

For more information

If you have any questions or comments about this advisory:

Reach out to SUSE Rancher Security team for security related inquiries.
Open an issue in Rancher repository.
Verify our support matrix and product support lifecycle

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-43759"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-25T19:35:02Z",
    "nvd_published_at": "2023-02-07T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAn issue was discovered in Rancher versions from 2.5.0 up to and including 2.5.16 and from 2.6.0 up to and including 2.6.9, where an authorization logic flaw allows privilege escalation via project role template binding (PRTB) and `-promoted` roles. This issue is not present in Rancher 2.7 releases.\n\nNote: Consult Rancher [documentation](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/manage-role-based-access-control-rbac/cluster-and-project-roles) for more information about cluster and project roles and [KB 000020097](https://www.suse.com/support/kb/doc/?id=000020097) for information about `-promoted` roles.\n\nThis privilege escalation is possible for users with access to the `escalate` verb on PRTBs (`projectroletemplatebindings.management.cattle.io`), including users with `*` verbs on PRTBs (see notes below for more information). These users can escalate permissions for any `-promoted` resource (see the table below for a full enumeration) in any cluster where they have a PRTB granting such permissions in at least one project in the cluster.\n\nOn a default Rancher setup, only the following roles have such permissions:\n\n1. Project Owner\n2. Manage Project Members\n\nThese roles have permissions to affect the following resources:\n\n| Resource | API Group | Affected Rancher version |\n| - | - | - |\n| navlinks | ui.cattle.io | 2.6 |\n| nodes | \"\" | 2.6 |\n| persistentvolumes | \"\" | 2.5, 2.6 |\n| persistentvolumes | core | 2.5, 2.6 |\n| storageclasses | storage.k8s.io | 2.5, 2.6 |\n| apiservices | apiregistration.k8s.io | 2.5, 2.6 |\n| clusterrepos | catalog.cattle.io | 2.5, 2.6 |\n| clusters (`local` only) | management.cattle.io | 2.5, 2.6 |\n\nNotes:\n\n1. During the calculation of the CVSS score, `privileges required` was considered  as `high` because, by default, `standard user` and `user-base` users in Rancher do not have  `create`, `patch` and `update` permissions on `roletemplates`.\n2. If a role template with access to those objects was already created by another user in the cluster, then this issue can be exploited by users without the mentioned permissions from point 1.\n\n### Workarounds\n\nIf updating Rancher to a patched version is not possible, then the following workarounds must be observed to mitigate this issue:\n\n1. Only grant Project Owner and Manage Project Members roles to trusted users.\n5. Minimize the creation of custom roles that contain the `escalate`, `*` or write verbs (`create`, `delete`, `patch`, `update`) on `projectroletemplatebindings` resource, and only grant such custom roles to trusted users.\n6. Minimize the number of users that have permissions to `create`, `patch` and `update` `roletemplates`.\n\n### Patches\n\nPatched versions include releases 2.5.17 and 2.6.10 and later versions. This issue is not present in Rancher 2.7 releases.\n\n### Detection\n\nThe following script was developed to list role template bindings that give written access to the affected resources listed above. It is highly recommended to run the script in your environment and review the list of identified roles and role template bindings for possible signs of exploitation of this issue. The script requires `jq` installed and a `kubeconfig` with access to Rancher local cluster; it can also be executed in Rancher\u0027s kubectl shell.\n\n```shell\n#!/bin/bash\n\nhelp=\"\nUsage: bash find_promoted_resource.sh \\n \\n\n\nRequires: \\n\n- jq installed and on path \\n\n- A kubeconfig pointing at rancher\u0027s local cluster (can also run from rancher\u0027s kubectl shell) \\n \\n\n\nOutputs a list of roletemplates and roletemplate bindings which give write access to promoted resources.\n\"\n\nif [[ $1 == \"-h\" || $1 == \"--help\" ]]\nthen\n\techo -e $help\n\texit 0\nfi\n\n# first, get the current roletemplates so that we only issue a get once\nkubectl get roletemplates.management.cattle.io -o json \u003e\u003e script_templates.json\n\n# find roles which have write access to a promoted resource. Filter on roleTemplates which fulfill all requirements:\n# Have a project context\n# Have some rules\n# Have one/more of the target api groups, or a * in the api groups\n# Have one/more of the target resources, or a * in the resources\n# Have a verb that is not read access (i.e. a verb that is not get/list/watch)\nroles=$(jq --argjson apiGroups \u0027[\"\", \"ui.cattle.io\", \"core\", \"storage.k8s.io\", \"apiregistration.k8s.io\", \"catalog.cattle.io\", \"management.cattle.io\"]\u0027 --argjson resources \u0027[\"navlinks\", \"persistentvolumes\", \"nodes\", \"storageclasses\", \"apiservices\", \"clusterrepos\", \"clusters\"]\u0027 --argjson verbs \u0027[\"get\", \"list\", \"watch\"]\u0027 \u0027.items[] | select(.context==\"project\" and (.rules | length \u003e= 1)) | select( .rules[] | select( (($apiGroups - .apiGroups | length \u003c 7) or (.apiGroups | index(\"*\"))) and (($resources - .resources | length \u003c 7) or (.resources | index(\"*\"))) and (.verbs - $verbs  | length \u003e 0)) | length \u003e= 1 ) | .metadata.name\u0027 script_templates.json | jq -s )\n\n# log promoted roles which give direct write access so they can be easily fixed\necho \"The following role templates give direct write access to a promoted resource:\"\necho $roles\necho -e \"\"\n\n# find any roles which inherit first-level roles. Mostly a BFS which radiates outward from the known bad roles \nold_roles=\"[]\"\nnew_roles=\"$roles\"\nold_length=$(echo $old_roles | jq \u0027length\u0027)\nnew_length=$(echo $new_roles | jq \u0027length\u0027)\n# if our last loop found nothing new, it\u0027s safe to stop\nwhile [[ $old_length != $new_length ]];\ndo\n\t# set old values to what we currently know about\n\told_roles=$new_roles\n\told_length=$new_length\n\t# update new values with anything that inherits a \"bad\" role we know about\n\tnew_roles=$(jq --argjson roles \"$old_roles\" --argjson roleLen \"$old_length\" \u0027.items[] | .metadata.name as $NAME | select (( $roles | index($NAME)) or ((.roleTemplateNames | length \u003e 0 ) and ($roles - .roleTemplateNames | length \u003c $roleLen))) | .metadata.name \u0027 script_templates.json | jq -s)\n\tnew_length=$(echo $new_roles | jq \u0027length\u0027)\ndone\n\nroles=$new_roles\n\n# log all roles which can give write access, even if it\u0027s not first level\necho -e \"The following role templates give write access to a promoted resource directly or through inheritance:\"\necho $roles\necho -e \"\"\n\nkubectl get projectroletemplatebindings.management.cattle.io -A -o json \u003e\u003e script_bindings.json\nrole_template_bindings=$(jq --argjson roleTemplates \"$roles\" \u0027.items[] | .roleTemplateName as $TemplateName | select($roleTemplates | index($TemplateName)) | .metadata.name\u0027 script_bindings.json | jq -s)\n\n# since these bindings could be for users or groups, we need to include all fields which could help identify the subject. But they won\u0027t all be present, which makes the list look less pretty\necho -e \"The following is a list of bindings which give access to promoted resource, with the format of: bindingName, projectName, userName, userPrincipalName, groupName, groupPrincipalName: \"\necho $(jq --argjson bindings \"$role_template_bindings\" \u0027.items[] | .metadata.name as $BindingName | select ( $bindings | index($BindingName)) | .metadata.name, .projectName, .userName?, .userPrincipalName?, .groupName?, .groupPrincipalName?\u0027 script_bindings.json | jq -s)\n\nunset old_roles\nunset new_roles\nunset roles\nunset role_template_bindings\nrm script_templates.json\nrm script_bindings.json\n```\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Reach out to [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n* Open an issue in [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n* Verify our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/)",
  "id": "GHSA-7m72-mh5r-6j3r",
  "modified": "2023-02-15T22:01:37Z",
  "published": "2023-01-25T19:35:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rancher/security/advisories/GHSA-7m72-mh5r-6j3r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43759"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1205293"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rancher/rancher"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Privilege escalation in project role template binding (PRTB) and -promoted roles"
}

wid-sec-w-2023-0197

Vulnerability from csaf_certbund

Published

2023-01-24 23:00

Modified

2023-01-24 23:00

Summary

Rancher: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Rancher ist ein Werkzeug für die Verwaltung von Kubernetes-Container basierten Umgebungen.

Angriff

Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Rancher ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen, seine Rechte zu erweitern und Code auszuführen.

Betroffene Betriebssysteme

- UNIX - Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Rancher ist ein Werkzeug f\u00fcr die Verwaltung von Kubernetes-Container basierten Umgebungen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Rancher ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen, seine Rechte zu erweitern und Code auszuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-0197 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0197.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-0197 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0197"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2023-01-24",
        "url": "https://github.com/rancher/rancher/security/advisories/GHSA-8c69-r38j-rpfj"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2023-01-24",
        "url": "https://github.com/rancher/rancher/security/advisories/GHSA-34p5-jp77-fcrc"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2023-01-24",
        "url": "https://github.com/rancher/rancher/security/advisories/GHSA-cq4p-vp5q-4522"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2023-01-24",
        "url": "https://github.com/rancher/rancher/security/advisories/GHSA-7m72-mh5r-6j3r"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2023-01-24",
        "url": "https://github.com/rancher/rancher/security/advisories/GHSA-c45c-39f6-6gw9"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2023-01-24",
        "url": "https://github.com/rancher/rancher/security/advisories/GHSA-g25r-gvq3-wrq7"
      }
    ],
    "source_lang": "en-US",
    "title": "Rancher: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-01-24T23:00:00.000+00:00",
      "generator": {
        "date": "2024-02-15T17:11:30.000+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2023-0197",
      "initial_release_date": "2023-01-24T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-01-24T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Rancher Rancher \u003c 2.5.17",
                "product": {
                  "name": "Rancher Rancher \u003c 2.5.17",
                  "product_id": "T026022",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:rancher:rancher:2.5.17"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Rancher Rancher \u003c 2.6.10",
                "product": {
                  "name": "Rancher Rancher \u003c 2.6.10",
                  "product_id": "T026023",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:rancher:rancher:2.6.10"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Rancher Rancher \u003c 2.7.1",
                "product": {
                  "name": "Rancher Rancher \u003c 2.7.1",
                  "product_id": "T026024",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:rancher:rancher:2.7.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Rancher"
          }
        ],
        "category": "vendor",
        "name": "Rancher"
      }
    ]
  },
  "vulnerabilities": [
    {
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Rancher. Wenn ein externer Authentifizierungsanbieter in Rancher konfiguriert und dann deaktiviert wird, werden die von Rancher generierten Token, denen der Zugriff \u00fcber den nun deaktivierten Authentifizierungsanbieter gew\u00e4hrt wurde, nicht widerrufen. Ein authentisierter Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsvorkehrungen zu umgehen."
        }
      ],
      "release_date": "2023-01-24T23:00:00Z"
    },
    {
      "cve": "CVE-2022-43759",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Rancher. Diese beruht auf einem Fehler in der Autorisierungslogik. Ein privilegierter Angreifer kann diese Schwachstelle ausnutzen, um seine Privilegien \u00fcber Project Role Template Binding (PRTB) und -promotierte Rollen zu erweitern."
        }
      ],
      "release_date": "2023-01-24T23:00:00Z",
      "title": "CVE-2022-43759"
    },
    {
      "cve": "CVE-2022-43758",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Rancher. Das Rancher-Git-Paket verwendet die zugrunde liegende Git-Bin\u00e4rdatei, die im Rancher-Container-Image verf\u00fcgbar ist, um Git-Operationen auszuf\u00fchren. In diesem Paket besteht ein Befehls-Injektions-Problem. Ein privilegierter Angreifer kann diese Schwachstelle ausnutzen, um Befehle in den zugrunde liegenden Rancher-Host zu injizieren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
        }
      ],
      "release_date": "2023-01-24T23:00:00Z",
      "title": "CVE-2022-43758"
    },
    {
      "cve": "CVE-2022-43757",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Rancher. Einige vertrauliche Felder, geheime Token, Verschl\u00fcsselungsschl\u00fcssel und SSH-Schl\u00fcssel werden im Klartext direkt auf Kubernetes-Objekten wie Clustern gespeichert. Ein authentisierter Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen."
        }
      ],
      "release_date": "2023-01-24T23:00:00Z",
      "title": "CVE-2022-43757"
    },
    {
      "cve": "CVE-2022-43755",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Rancher. Das cattle-token-Geheimnis verwendet keinen Zufallswert in seiner Zusammensetzung, was dazu f\u00fchrt, dass es immer mit demselben Wert neu generiert wird. Ein authentisierter Angreifer kann diese Schwachstelle ausnutzen, um die Rechte des Clustereigent\u00fcmers des betroffenen Downstream-Clusters zu erweitern."
        }
      ],
      "release_date": "2023-01-24T23:00:00Z",
      "title": "CVE-2022-43755"
    },
    {
      "cve": "CVE-2022-21953",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Rancher. Ein Fehler in der Autorisierungslogik erm\u00f6glicht es einem authentifizierten Benutzer auf einem beliebigen nachgelagerten Cluster einen Shell-Pod im lokalen Rancher-Cluster zu \u00f6ffnen und begrenzten kubectl-Zugriff darauf zu erhalten. Ein authentisierter Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsvorkehrungen zu umgehen."
        }
      ],
      "release_date": "2023-01-24T23:00:00Z",
      "title": "CVE-2022-21953"
    }
  ]
}

gsd-2022-43759

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

A Improper Privilege Management vulnerability in SUSE Rancher, allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10.

Aliases

CVE-2022-43759

Aliases

CVE-2022-43759

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-43759",
    "id": "GSD-2022-43759",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-43759.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-43759"
      ],
      "details": "A Improper Privilege Management vulnerability in SUSE Rancher, allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10.",
      "id": "GSD-2022-43759",
      "modified": "2023-12-13T01:19:31.872291Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@suse.com",
        "DATE_PUBLIC": "2023-01-25T00:00:00.000Z",
        "ID": "CVE-2022-43759",
        "STATE": "PUBLIC",
        "TITLE": "Rancher: Privilege escalation via promoted roles"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Rancher",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "Rancher",
                          "version_value": "2.5.17"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Rancher",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "Rancher",
                          "version_value": "2.6.10"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SUSE"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A Improper Privilege Management vulnerability in SUSE Rancher, allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-269: Improper Privilege Management"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://bugzilla.suse.com/show_bug.cgi?id=1205293",
            "refsource": "CONFIRM",
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=1205293"
          }
        ]
      },
      "source": {
        "advisory": "https://bugzilla.suse.com/show_bug.cgi?id=1205293",
        "defect": [
          "1205293"
        ],
        "discovery": "INTERNAL"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=v2.5.0 \u003cv2.5.17 || \u003e=v2.6.0 \u003cv2.6.10",
          "affected_versions": "All versions starting from 2.5.0 before 2.5.17, all versions starting from 2.6.0 before 2.6.10",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2023-01-25",
          "description": "An issue was discovered in Rancher versions from 2.5.0 up to and including 2.5.16 and from 2.6.0 up to and including 2.6.9, where an authorization logic flaw allows privilege escalation via project role template binding (PRTB) and `-promoted` roles. This issue is not present in Rancher 2.7 releases.",
          "fixed_versions": [
            "v2.5.17",
            "v2.6.10"
          ],
          "identifier": "GMS-2023-139",
          "identifiers": [
            "GHSA-7m72-mh5r-6j3r",
            "GMS-2023-139",
            "CVE-2022-43759"
          ],
          "not_impacted": "All versions before 2.5.0, all versions starting from 2.5.17 before 2.6.0, all versions starting from 2.6.10",
          "package_slug": "go/github.com/rancher/rancher",
          "pubdate": "2023-01-25",
          "solution": "Upgrade to versions 2.5.17, 2.6.10 or above.",
          "title": "Privilege escalation in project role template binding (PRTB) and -promoted roles",
          "urls": [
            "https://github.com/rancher/rancher/security/advisories/GHSA-7m72-mh5r-6j3r",
            "https://github.com/advisories/GHSA-7m72-mh5r-6j3r"
          ],
          "uuid": "87d610df-0606-4b78-8d83-d09b359902fb",
          "versions": [
            {
              "commit": {
                "sha": "65f3525cdc1167872af4140d45f3153698450c52",
                "tags": [
                  "v2.5.0",
                  "v2.5.0-rc9"
                ],
                "timestamp": "20201006004413"
              },
              "number": "v2.5.0"
            },
            {
              "commit": {
                "sha": "df2432ad895c9d6be0e47e0d6d62a4c3dc8f08e5",
                "tags": [
                  "v2.6.0",
                  "v2.6.0-rc10"
                ],
                "timestamp": "20210830223634"
              },
              "number": "v2.6.0"
            },
            {
              "commit": {
                "sha": "8bcacfeafe7c8b7696318c1eb739247258e83238",
                "tags": [
                  "v2.5.17",
                  "v2.5.17-rc4"
                ],
                "timestamp": "20230124044749"
              },
              "number": "v2.5.17"
            },
            {
              "commit": {
                "sha": "2207cfed180315c015223c07ba4462888b8acf9f",
                "tags": [
                  "v2.6.10",
                  "v2.6.10-rc7"
                ],
                "timestamp": "20230124173128"
              },
              "number": "v2.6.10"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.6.10",
                "versionStartIncluding": "2.6.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.5.17",
                "versionStartIncluding": "2.5.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@suse.com",
          "ID": "CVE-2022-43759"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A Improper Privilege Management vulnerability in SUSE Rancher, allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-269"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.suse.com/show_bug.cgi?id=1205293",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Issue Tracking"
              ],
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1205293"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-02-15T18:39Z",
      "publishedDate": "2023-02-07T13:15Z"
    }
  }
}

cve-2022-43759

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature

Action not permitted

cve-2022-43759

Vulnerability from cvelistv5

ghsa-7m72-mh5r-6j3r

Vulnerability from github

Impact

Workarounds

Patches

Detection

!/bin/bash

first, get the current roletemplates so that we only issue a get once

find roles which have write access to a promoted resource. Filter on roleTemplates which fulfill all requirements:

Have a project context

Have some rules

Have one/more of the target api groups, or a * in the api groups

Have one/more of the target resources, or a * in the resources

Have a verb that is not read access (i.e. a verb that is not get/list/watch)

log promoted roles which give direct write access so they can be easily fixed

find any roles which inherit first-level roles. Mostly a BFS which radiates outward from the known bad roles

if our last loop found nothing new, it's safe to stop

log all roles which can give write access, even if it's not first level

since these bindings could be for users or groups, we need to include all fields which could help identify the subject. But they won't all be present, which makes the list look less pretty

For more information

wid-sec-w-2023-0197

Vulnerability from csaf_certbund

gsd-2022-43759

Vulnerability from gsd

Tags

Sightings

Nomenclature