CVE-2022-43755

Name of the Vulnerable Software and Affected Versions SUSE Rancher versions prior to 2.6.10 SUSE Rancher versions prior to 2.7.1

Description A Insufficient Entropy vulnerability in SUSE Rancher allows attackers that gained knowledge of the cattle-token to continue abusing this even after the token was renewed. The cattle-token secret, used by the cattle-cluster-agent, is predictable and does not use any random value in its composition, causing it to always be regenerated with the same value. This can pose a serious problem if the token is compromised and needs to be recreated for security purposes. The usage of the cattle-token by an unauthorized user allows to escalate privileges to the cluster owner of the affected downstream cluster.

Recommendations For SUSE Rancher versions prior to 2.6.10, update to version 2.6.10 or later. For SUSE Rancher versions prior to 2.7.1, update to version 2.7.1 or later. After upgrading to a patched version, rotate the cattle-token in downstream clusters to guarantee that a new random token will be safely regenerated. This can be done by executing the following procedure in each downstream cluster provisioned by Rancher: Verify the current secret before rotating it using kubectl describe secrets cattle-token -n cattle-system. Delete the secret using kubectl delete secrets cattle-token -n cattle-system. Restart the cattle-cluster-agent deployment using kubectl rollout restart deployment/cattle-cluster-agent -n cattle-system. Confirm that a new and different secret was generated using kubectl describe secrets cattle-token -n cattle-system. As a temporary workaround, consider using the rotate script provided in the public security advisory to facilitate the rotation and creation of a new unique downstream cluster token.