GHSA-X7XJ-JVWP-97RV

Vulnerability from github – Published: 2024-10-25 19:39 – Updated: 2024-10-25 19:39
VLAI
Summary
RKE2 allows privilege escalation in Windows nodes due to Insecure Access Control Lists
Details

Impact

A vulnerability has been identified whereby RKE2 deployments in Windows nodes have weak Access Control Lists (ACL), allowing BUILTIN\Users or NT AUTHORITY\Authenticated Users to view or edit sensitive files which could lead to privilege escalation.

The affected files include binaries, scripts, configuration and log files:

C:\etc\rancher\node\password
C:\var\lib\rancher\rke2\agent\logs\kubelet.log
C:\var\lib\rancher\rke2\data\v1.**.**-rke2r*-windows-amd64-*\bin\*
C:\var\lib\rancher\rke2\bin\*

This vulnerability is exclusive to RKE2 in Windows environments. Linux environments are not affected by it.

Please consult the associated MITRE ATT&CK - Technique - Exploitation for Privilege Escalation for further information about this category of attack.

Patches

Patched versions include RKE2 1.31.0, 1.30.2, 1.29.6, 1.28.11 and 1.27.15.

Workarounds

Users are advised to do a fresh install of their RKE2 Windows nodes using a patched RKE2 version. When that is not possible, users can enforce stricter ACLs for all sensitive files affected by this Security Advisory running this PowerShell script as an Administrator on each node.

References

For more information

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rke2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.27.0"
            },
            {
              "fixed": "1.27.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rke2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.28.0"
            },
            {
              "fixed": "1.28.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rke2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.29.0"
            },
            {
              "fixed": "1.29.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rke2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.30.0"
            },
            {
              "fixed": "1.30.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-25T19:39:07Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nA vulnerability has been identified whereby RKE2 deployments in Windows nodes have weak Access Control Lists (ACL), allowing `BUILTIN\\Users` or `NT AUTHORITY\\Authenticated Users` to view or edit sensitive files which could lead to privilege escalation.\n\nThe affected files include binaries, scripts, configuration and log files:\n\n```\nC:\\etc\\rancher\\node\\password\nC:\\var\\lib\\rancher\\rke2\\agent\\logs\\kubelet.log\nC:\\var\\lib\\rancher\\rke2\\data\\v1.**.**-rke2r*-windows-amd64-*\\bin\\*\nC:\\var\\lib\\rancher\\rke2\\bin\\*\n```\n\n**This vulnerability is exclusive to RKE2 in Windows environments. Linux environments are not affected by it.**\n\nPlease consult the associated [MITRE ATT\u0026CK - Technique - Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068/) for further information about this category of attack.\n\n\n### Patches\n\nPatched versions include RKE2 `1.31.0`, `1.30.2`, `1.29.6`, `1.28.11` and `1.27.15`.\n\n### Workarounds\n\nUsers are advised to do a fresh install of their RKE2 Windows nodes using a patched RKE2 version. \nWhen that is not possible, users can enforce stricter ACLs for all sensitive files affected by this Security Advisory running [this](https://github.com/rancherlabs/support-tools/blob/master/windows-access-control-lists/README.md) PowerShell script as an Administrator on each node.\n\n### References\n\n- [CVE-2023-32197](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32197)\n- [Rancher Manager\u2019s GHSA-7h8m-pvw3-5gh4](https://github.com/rancher/rancher/security/advisories/GHSA-7h8m-pvw3-5gh4)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).\n",
  "id": "GHSA-x7xj-jvwp-97rv",
  "modified": "2024-10-25T19:39:07Z",
  "published": "2024-10-25T19:39:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rancher/security/advisories/GHSA-7h8m-pvw3-5gh4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rke2/security/advisories/GHSA-x7xj-jvwp-97rv"
    },
    {
      "type": "WEB",
      "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32197"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rancher/rke2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RKE2 allows privilege escalation in Windows nodes due to Insecure Access Control Lists"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…