ghsa-6gr4-52w6-vmqx
Vulnerability from github
Published
2024-06-17 22:30
Modified
2024-10-16 17:26
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
rke's credentials are stored in the RKE1 Cluster state ConfigMap
Details

Impact

When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include the following sensitive data:

  • RancherKubernetesEngineConfig
  • RKENodeConfig
    • SSH username
    • SSH private key
    • SSH private key path
  • RKEConfigServices
    • ETCDService
      • External client key
      • BackupConfig
        • S3BackupConfig
          • AWS access key
          • AWS secret key
    • KubeAPIService
      • SecretsEncryptionConfig
        • K8s encryption configuration (contains encryption keys)
  • PrivateRegistries
    • User
    • Password
    • ECRCredentialPlugin
      • AWS access key
      • AWS secret key
      • AWS session token
  • CloudProvider
    • AzureCloudProvider
      • AAD client ID
      • AAD client secret
      • AAD client cert password
    • OpenstackCloudProvider
      • Username
      • User ID
      • Password
    • VsphereCloudProvider
      • GlobalVsphereOpts
        • User
        • Password
      • VirtualCenterConfig
        • User
        • Password
    • HarvesterCloudProvider
      • CloudConfig
    • CustomCloudProvider
  • BastionHost
    • User
    • SSH key
  • CertificatesBundle
  • Private key
  • EncryptionConfig
  • Private key

The State type that contains the above info and more can viewed here.

While the full-cluster-state configmap is not publicly available (reading it requires access to the RKE cluster), it being a configmap makes it available to non-administrators of the cluster. Because this configmap contains essentially all the information and credentials required to administer the cluster, anyone with permission to read it thereby achieves admin-level access to the cluster (please consult the MITRE ATT&CK - Technique - Unsecured Credentials : Credentials In Files for further information about the associated technique of attack).

Important: For the exposure of credentials not related to Rancher and RKE, the final impact severity for confidentiality, integrity and availability is dependent on the permissions the leaked credentials have on their services.

It is recommended to review for potentially leaked credentials in this scenario and to change them if deemed necessary.

Patches

This vulnerability is being fixed in RKE versions 1.4.19 and 1.5.10 which are included in Rancher versions 2.7.14 and 2.8.5.

The patches include changes that will cause RKE to automatically migrate the cluster state configmap to a full-cluster-state secret in the kube-system namespace. The migrated secret will only be accessible to those who have read access to the kube-system namespace in the downstream RKE cluster. In Rancher, only admin and cluster-owner roles can access the secret. The old configmap will be removed after successful migration.

All downstream clusters provisioned using RKE via Rancher will be migrated automatically on Rancher upgrade. Note that any downstream clusters that are unavailable or otherwise non migratable on Rancher upgrade will still be migrated automatically as soon as they become available.

Clusters provisioned using RKE outside of Rancher will be migrated automatically upon the next invocation of rke up (i.e. the next cluster reconciliation) after upgrading RKE.

If a rollback needs to be performed after an upgrade to a patched Rancher or RKE version, downstream RKE clusters that were migrated need to have their migrations manually reversed using this script: https://github.com/rancherlabs/support-tools/tree/master/reverse-rke-state-migrations. Please be sure to back up downstream clusters before performing the reverse migration.

Workarounds

There are no workarounds for this issue. Users are recommended to upgrade, as soon as possible, to a version of RKE/Rancher Manager which contains the fixes.

Users should not attempt to perform this migration manually without upgrading their RKE/Rancher versions as only post-patch versions of RKE are capable of reading the cluster state from a secret instead of a configmap. In other words, migrating the cluster state to a secret without upgrading RKE/Rancher would cause RKE to be unable to read the cluster state, making it incapable of managing the cluster until an RKE/Rancher upgrade is performed.

For more information

If you have any questions or comments about this advisory:

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rke"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.18"
            },
            {
              "fixed": "1.4.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rke"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.9"
            },
            {
              "fixed": "1.5.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32191"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-17T22:30:48Z",
    "nvd_published_at": "2024-10-16T13:15:12Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nWhen RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include the following sensitive data:\n\n- RancherKubernetesEngineConfig\n   - RKENodeConfig\n       - SSH username\n       - SSH private key\n       - SSH private key path\n   - RKEConfigServices\n       - ETCDService\n           - External client key\n           - BackupConfig\n               - S3BackupConfig\n                   - AWS access key\n                   - AWS secret key\n       - KubeAPIService\n           - SecretsEncryptionConfig\n               - K8s encryption configuration (contains encryption keys)\n   - PrivateRegistries\n       - User\n       - Password\n       - ECRCredentialPlugin\n           - AWS access key\n           - AWS secret key\n           - AWS session token\n   - CloudProvider\n       - AzureCloudProvider\n           - AAD client ID\n           - AAD client secret\n           - AAD client cert password\n       - OpenstackCloudProvider\n           - Username\n           - User ID\n           - Password\n       - VsphereCloudProvider\n           - GlobalVsphereOpts\n               - User\n               - Password\n           - VirtualCenterConfig\n               - User\n               - Password\n       - HarvesterCloudProvider\n           - CloudConfig\n       - CustomCloudProvider\n   - BastionHost\n       - User\n       - SSH key\n- CertificatesBundle\n   - Private key\n- EncryptionConfig\n   - Private key\n\n\nThe `State` type that contains the above info and more can viewed [here](https://github.com/rancher/rke/blob/8714c3c06e0bad55c61684fd5d94f1481128c58d/cluster/state.go#L37).\n\nWhile the `full-cluster-state` configmap is not publicly available (reading it requires access to the RKE cluster), it being a configmap makes it available to non-administrators of the cluster. Because this configmap contains essentially all the information and credentials required to administer the cluster, anyone with permission to read it thereby achieves admin-level access to the cluster (please consult the [MITRE ATT\u0026CK - Technique - Unsecured Credentials : Credentials In Files](https://attack.mitre.org/techniques/T1552/001/) for further information about the associated technique of attack).\n\n\n**Important:**\nFor the exposure of credentials not related to Rancher and RKE, the final impact severity for confidentiality, integrity and availability is dependent on the permissions the leaked credentials have on their services. \n\n\nIt is recommended to review for potentially leaked credentials in this scenario and to change them if deemed necessary.\n\n\n### Patches\n\nThis vulnerability is being fixed in RKE versions `1.4.19` and `1.5.10` which are included in Rancher versions `2.7.14` and `2.8.5`.\n\n\nThe patches include changes that will cause RKE to automatically migrate the cluster state configmap to a `full-cluster-state` secret in the `kube-system` namespace. The migrated secret will only be accessible to those who have read access to the `kube-system` namespace in the downstream RKE cluster. In Rancher, only admin and cluster-owner roles can access the secret. The old configmap will be removed after successful migration.\n\n\nAll downstream clusters provisioned using RKE via Rancher will be migrated automatically on Rancher upgrade. Note that any downstream clusters that are unavailable or otherwise non migratable on Rancher upgrade will still be migrated automatically as soon as they become available.\n\n\nClusters provisioned using RKE outside of Rancher will be migrated automatically upon the next invocation of `rke up` (i.e. the next cluster reconciliation) after upgrading RKE.\n\n\nIf a rollback needs to be performed after an upgrade to a patched Rancher or RKE version, downstream RKE clusters that were migrated need to have their migrations manually reversed using this script: https://github.com/rancherlabs/support-tools/tree/master/reverse-rke-state-migrations. \n**Please be sure to back up downstream clusters before performing the reverse migration**.\n\n\n### Workarounds\n\nThere are no workarounds for this issue. Users are recommended to upgrade, as soon as possible, to a version of RKE/Rancher Manager which contains the fixes.\n\n\nUsers should not attempt to perform this migration manually without upgrading their RKE/Rancher versions as only post-patch versions of RKE are capable of reading the cluster state from a secret instead of a configmap. In other words, migrating the cluster state to a secret without upgrading RKE/Rancher would cause RKE to be unable to read the cluster state, making it incapable of managing the cluster until an RKE/Rancher upgrade is performed.\n\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support life cycle](https://www.suse.com/lifecycle/).\n",
  "id": "GHSA-6gr4-52w6-vmqx",
  "modified": "2024-10-16T17:26:10Z",
  "published": "2024-06-17T22:30:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32191"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rke/commit/cf49199481a1891909acb1384eed73a5c987d5bd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rke/commit/f7485b8dce376db0fc15a7c3ceb3de7029c8d0cf"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32191"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rancher/rke"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "rke\u0027s credentials are stored in the RKE1 Cluster state ConfigMap"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.