GHSA-64jq-m7rq-768h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-64jq-m7rq-768h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-64jq-m7rq-768h/GHSA-64jq-m7rq-768h.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-64jq-m7rq-768h
- Aliases
-
- CVE-2023-32196
- GO-2024-2929
- Published
- 2024-06-17T22:30:51Z
- Modified
- 2024-10-16T17:26:07Z
- Severity
-
- 6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 7.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Rancher's External RoleTemplates can lead to privilege escalation
- Details
-
Impact
A vulnerability has been identified whereby privilege escalation checks are not properly enforced for
RoleTemplateobjects when external=true, which in specific scenarios can lead to privilege escalation.The bug in the webhook rule resolver ignores rules from a
ClusterRolefor externalRoleTemplateswhen its context is set to eitherprojector is left empty. The fix introduces a new field to theRoleTemplateCRD namedExternalRules. The new field will be used to resolve rules directly from theRoleTemplate. Additionally, rules from the backingClusterRolewill be used ifExternalRulesis not provided. The new field will always take precedence when it is set, and serve as the source of truth for rules used when creating Rancher resources on the local cluster.Please note that this is a breaking change for external
RoleTemplates, when context is set toprojector empty and the backingClusterRoledoes not exist, as this was not previously required.Important: The fix is automatically applied when upgrading to the release lines
2.8and above. For users still on the2.7release line, after the upgrade to a patched version, users are required to opt-in to the fix by enabling theexternal-rulesfeature flag.Please consult the associated MITRE ATT&CK - Technique - Exploitation for Privilege Escalation for further information about this category of attack.
Patches
Patched versions include releases
2.7.14and2.8.5.Workarounds
The following script was developed for Rancher Manager administrators to identify
RoleTemplatesimpacted by this vulnerability. The script requiresjqinstalled and akubeconfigwith access to Rancher local cluster; it can also be executed in Rancher's kubectl shell.#!/bin/bash set -euo pipefail # get all RoleTemplates with .context == "project" or .context == "" that don't have externalRules. rts=$(kubectl get roletemplates -o json | jq -r '.items[] | select((.context == "project" or .context == "") and .external == true and .externalRules == null and .builtin == false) | .metadata.name') found_invalid_rt=false for rt in $rts; do if ! kubectl get clusterrole "$rt" > /dev/null 2>&1; then echo "$rt" # prints RoleTemplate names that don't have a backing ClusterRole found_invalid_rt=true fi done if ! $found_invalid_rt ; then echo 'This cluster is not affected by CVE-2023-32197: no RoleTemplate objects found' fiIt will return all objects affected by this vulnerability. The administrator can fix those objects by creating the backing
ClusterRolethat they refer to.References
If you have any questions or comments about this advisory: - Reach out to the SUSE Rancher Security team for security-related inquiries. - Open an issue in the Rancher repository. - Verify with our support matrix and product support lifecycle.
- Database specific
{ "nvd_published_at": "2024-10-16T13:15:13Z", "cwe_ids": [ "CWE-269" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-06-17T22:30:51Z" }- References
Affected packages
Go / github.com/rancher/rancher
Package
- Name
- github.com/rancher/rancher
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/rancher/rancher
Go / github.com/rancher/rancher
Package
- Name
- github.com/rancher/rancher
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/rancher/rancher