Guilherme Macedo

**Name of the Vulnerable Software and Affected Versions** Rancher versions 2.8.0 through 2.8.12 Rancher versions 2.9.0 through 2.9.6 Rancher versions 2.10.0 through 2.10.2 **Description** The issue is related to an unauthenticated stack overflow in the `/v3-public/authproviders` API endpoint, which can lead to a denial of service (DoS) and potentially allow an attacker to impersonate any other user by manipulating cookies. This vulnerability affects users of external authentication providers as well as Rancher's local authentication. The estimated number of potentially affected devices is not specified. **Recommendations** For Rancher versions 2.8.0 through 2.8.12, update to version 2.8.13 or later. For Rancher versions 2.9.0 through 2.9.6, update to version 2.9.7 or later. For Rancher versions 2.10.0 through 2.10.2, update to version 2.10.3 or later. As a temporary workaround, consider restricting access to the `/v3-public/authproviders` API endpoint until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Rancher versions prior to 2.8.9 Rancher versions prior to 2.9.3 Rancher versions 2.7.0 through 2.7.x **Description** A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. The exposed passwords were accessible in the following objects: `provisioning.cattle.io` in `spec.rkeConfig.chartValues.rancher-vsphere-cpi` and `spec.rkeConfig.chartValues.rancher-vsphere-csi`, and `rke.cattle.io.rkecontrolplane` in `spec.chartValues.rancher-vsphere-cpi` and `spec.chartValues.rancher-vsphere-csi`. The vulnerability is only applicable to users that deploy clusters in vSphere environments. **Recommendations** For Rancher versions prior to 2.8.9, update to version 2.8.9 or later and execute the script provided in the support tools to mitigate any vulnerable leftover vSphere clusters' credentials. For Rancher versions prior to 2.9.3, update to version 2.9.3 or later and execute the script provided in the support tools to mitigate any vulnerable leftover vSphere clusters' credentials. For Rancher versions 2.7.0 through 2.7.x, update to one of the patched versions by following the standard update procedure based on the 2.7 version that is being used. Enable the `provisioningprebootstrap` feature flag after updating to one of the patched versions. As a temporary workaround, consider restricting access to Rancher to trusted users and not allowing direct access to untrusted users to the clusters' infrastructure.

**Name of the Vulnerable Software and Affected Versions** SUSE Rancher versions prior to 2.6.10 SUSE Rancher versions prior to 2.7.1 **Description** A Insufficient Entropy vulnerability in SUSE Rancher allows attackers that gained knowledge of the `cattle-token` to continue abusing this even after the token was renewed. The `cattle-token` secret, used by the `cattle-cluster-agent`, is predictable and does not use any random value in its composition, causing it to always be regenerated with the same value. This can pose a serious problem if the token is compromised and needs to be recreated for security purposes. The usage of the `cattle-token` by an unauthorized user allows to escalate privileges to the cluster owner of the affected downstream cluster. **Recommendations** For SUSE Rancher versions prior to 2.6.10, update to version 2.6.10 or later. For SUSE Rancher versions prior to 2.7.1, update to version 2.7.1 or later. After upgrading to a patched version, rotate the `cattle-token` in downstream clusters to guarantee that a new random token will be safely regenerated. This can be done by executing the following procedure in each downstream cluster provisioned by Rancher: Verify the current secret before rotating it using `kubectl describe secrets cattle-token -n cattle-system`. Delete the secret using `kubectl delete secrets cattle-token -n cattle-system`. Restart the `cattle-cluster-agent` deployment using `kubectl rollout restart deployment/cattle-cluster-agent -n cattle-system`. Confirm that a new and different secret was generated using `kubectl describe secrets cattle-token -n cattle-system`. As a temporary workaround, consider using the rotate script provided in the public security advisory to facilitate the rotation and creation of a new unique downstream cluster token.

**Name of the Vulnerable Software and Affected Versions** SUSE Rancher wrangler versions 0.7.3 and prior versions SUSE Rancher wrangler versions 0.8.4 and prior versions SUSE Rancher wrangler versions 1.0.0 and prior versions **Description** A denial of service vulnerability exists in the Wrangler Git package, allowing remote attackers to cause denial of service by supplying specially crafted git credentials. This issue is caused by a lack of input validation of Git credentials before they are used, which may lead to a denial of service in some cases. The issue can be triggered when accessing both private and public Git repositories. **Recommendations** For SUSE Rancher wrangler versions 0.7.3 and prior versions, update to version 0.7.4-security1 or later. For SUSE Rancher wrangler versions 0.8.4 and prior versions, update to version 0.8.5-security1 or later, or version 0.8.11 or later. For SUSE Rancher wrangler versions 1.0.0 and prior versions, update to version 1.0.1 or later. As a temporary workaround, consider sanitizing input passed to the Git package to remove potential unsafe and ambiguous characters.

**Name of the Vulnerable Software and Affected Versions** SUSE Rancher wrangler versions 0.7.3 and prior versions SUSE Rancher wrangler versions 0.8.4 and prior versions SUSE Rancher wrangler versions 1.0.0 and prior versions **Description** A command injection vulnerability exists in the Wrangler Git package, allowing remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host. **Recommendations** For SUSE Rancher wrangler versions 0.7.3 and prior versions, update to version 0.7.4-security1 or later. For SUSE Rancher wrangler versions 0.8.4 and prior versions, update to version 0.8.5-security1 or later. For SUSE Rancher wrangler versions 1.0.0 and prior versions, update to version 1.0.1 or later. As a temporary workaround, consider sanitizing input passed to the Git package to remove potential unsafe and ambiguous characters.

**Name of the Vulnerable Software and Affected Versions** SUSE Rancher versions prior to 2.5.17 SUSE Rancher versions prior to 2.6.10 SUSE Rancher versions prior to 2.7.1 **Description** A code execution issue exists due to improper neutralization of special elements used in an OS command. This issue can be exploited by adding an untrusted Helm catalog or modifying the URL configuration used to download KDM, allowing for command injection in the underlying Rancher host. By default, only the Rancher admin has permission to manage these configurations. The issue can potentially be exploited in two ways: adding an untrusted Helm catalog that contains maliciously designed repo URL configuration in Helm charts, or modifying the URL configuration used to download KDM releases. **Recommendations** For SUSE Rancher versions prior to 2.5.17, update to version 2.5.17 or later. For SUSE Rancher versions prior to 2.6.10, update to version 2.6.10 or later. For SUSE Rancher versions prior to 2.7.1, update to version 2.7.1 or later. As a temporary workaround, consider only adding trusted catalogs and the KDM URL to Rancher.

**Name of the Vulnerable Software and Affected Versions** SUSE Rancher versions prior to 2.5.17 SUSE Rancher versions prior to 2.6.10 SUSE Rancher versions prior to 2.7.1 **Description** A Cleartext Storage of Sensitive Information issue in SUSE Rancher allows users on managed clusters to gain access to credentials. The impact depends on the credentials exposed. This issue affects the storage of sensitive fields, secret tokens, encryption keys, and SSH keys that were still being stored in plaintext directly on Kubernetes objects like `Clusters`. The exposed credentials are visible in Rancher to authenticated `Cluster Owners`, `Cluster Members`, `Project Owners`, and `Project Members` of that cluster on the endpoints: "/v1/management.cattle.io.cluster" and "/v1/management.cattle.io.clustertemplaterevisions". The fields that have been addressed by this security fix include `Cluster.Spec.RancherKubernetesEngineConfig.Services.KubeAPI.SecretsEncryptionConfig.CustomConfig.Providers[].AESGCM.Keys[].Secret`, `Cluster.Spec.RancherKubernetesEngineConfig.Services.KubeAPI.SecretsEncryptionConfig.CustomConfig.Providers[].AESCBC.Keys[].Secret`, and others. **Recommendations** For SUSE Rancher versions prior to 2.5.17, update to version 2.5.17 or later. For SUSE Rancher versions prior to 2.6.10, update to version 2.6.10 or later. For SUSE Rancher versions prior to 2.7.1, update to version 2.7.1 or later. After upgrading to a patched version, check for the `ACISecretsMigrated` and `RKESecretsMigrated` conditions on `Clusters` and `ClusterTemplateRevisions` to confirm when secrets have been fully migrated off of those objects. As a temporary workaround, consider restricting access to the vulnerable endpoints until a patch is available. Review for potentially leaked credentials and change them if deemed necessary.

**Name of the Vulnerable Software and Affected Versions** SUSE Rancher versions prior to 2.5.17 SUSE Rancher versions prior to 2.6.10 **Description** A Improper Privilege Management vulnerability in SUSE Rancher allows users with access to the `escalate` verb on PRTBs to escalate permissions for any `-promoted` resource in any cluster. This issue affects users with access to the `escalate` verb on PRTBs, including users with `*` verbs on PRTBs. The vulnerability can be exploited by users without the mentioned permissions if a role template with access to those objects was already created by another user in the cluster. The following resources are affected: - `navlinks` - `nodes` - `persistentvolumes` - `storageclasses` - `apiservices` - `clusterrepos` - `clusters` **Recommendations** For SUSE Rancher versions prior to 2.5.17, update to version 2.5.17 or later. For SUSE Rancher versions prior to 2.6.10, update to version 2.6.10 or later. As a temporary workaround, consider restricting access to the `projectroletemplatebindings` resource and minimizing the creation of custom roles that contain the `escalate`, `*` or write verbs on `projectroletemplatebindings` resource. Only grant Project Owner and Manage Project Members roles to trusted users. Minimize the number of users that have permissions to `create`, `patch` and `update` `roletemplates`.

**Name of the Vulnerable Software and Affected Versions** SUSE Rancher versions prior to 2.5.17 SUSE Rancher versions prior to 2.6.10 SUSE Rancher versions prior to 2.7.1 **Description** A Missing Authorization vulnerability in SUSE Rancher allows an authenticated user to create an unauthorized shell pod and have limited kubectl access in the local cluster. This issue occurs due to an authorization logic flaw, allowing users to open a shell pod in the Rancher local cluster and have limited kubectl access to it, even if they were not explicitly granted such access. The vulnerability can be exploited in two ways: by intercepting a web request to change the shell's destination to the Rancher local cluster, or by modifying the server cluster address in a kubeconfig file to point to the Rancher local cluster. The severity of this issue is reduced because the shell pod runs with a limited non-root user, but it is still possible to download and run binaries inside the shell pod. **Recommendations** For SUSE Rancher versions prior to 2.5.17, update to version 2.5.17 or later. For SUSE Rancher versions prior to 2.6.10, update to version 2.6.10 or later. For SUSE Rancher versions prior to 2.7.1, update to version 2.7.1 or later. As a temporary workaround, consider restricting access to the local cluster and limiting network access to reduce the blast radius of this issue. Additionally, enabling API audit logs can help identify possible abuses of this issue by tracking API requests to the user ID of the user that performed the action.

**Name of the Vulnerable Software and Affected Versions** SUSE Rancher versions prior to 2.5.13 SUSE Rancher versions prior to 2.6.4 **Description** A Improper Privilege Management issue in SUSE Rancher allows users with the `restricted-admin` role to escalate to full admin. This affects customers who utilize non-admin users that are able to create or edit Global Roles. The vulnerability can be exploited by users with create or update permissions on Global Roles, allowing them to escalate their permissions or those of another user to admin-level permissions. **Recommendations** For SUSE Rancher versions prior to 2.5.13, update to version 2.5.13 or later. For SUSE Rancher versions prior to 2.6.4, update to version 2.6.4 or later. As a temporary workaround, limit access in Rancher to trusted users. Review the roles and users created by non-admin users with create or edit permissions on Global Roles for possible privilege escalations.

**Name of the Vulnerable Software and Affected Versions** SUSE Rancher versions prior to 2.5.13 SUSE Rancher versions prior to 2.6.4 **Description** A vulnerability in SUSE Rancher allows write access to the Catalog for any user when the restricted-admin role is enabled. This issue affects customers using the restricted-admin role in Rancher, which must be bootstrapped with the environment variable `CATTLE RESTRICTED DEFAULT ADMIN=true` or the configuration flag `restrictedAdmin=true`. The vulnerability grants write access to templates (`CatalogTemplates`) and template versions (`CatalogTemplateVersions`) for any user with any level of catalog access. A malicious user could abuse this vulnerability to modify application visibility, change logos, make charts appear as trusted or partner charts, or swap template versions. This vulnerability does not allow modification of the base64 encoded `files` fields of the `templateVersions`. **Recommendations** For SUSE Rancher versions prior to 2.5.13, update to version 2.5.13 or later. For SUSE Rancher versions prior to 2.6.4, update to version 2.6.4 or later. As a temporary workaround, limit access in Rancher to trusted users. If using the `restricted-admin` as the default admin role, review `CatalogTemplates` and `CatalogTemplateVersions` for possible malicious modifications.