cvelistv5 - cve-2023-32191

CVE-2023-32191 (GCVE-0-2023-32191)

Vulnerability from cvelistv5

Published

2024-10-16 12:17

Modified

2024-10-16 15:58

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-922 - Insecure Storage of Sensitive Information

Summary

When RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin.

References

►

URL

Tags

	meissner@suse.de	https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32191
	meissner@suse.de	https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx

Impacted products

	Vendor	Product	Version
	SUSE	rke	Version: 1.4.18 ≤ Version: 1.5.9 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:suse:rke:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "rke",
            "vendor": "suse",
            "versions": [
              {
                "lessThan": "1.4.19",
                "status": "affected",
                "version": "1.4.18",
                "versionType": "semver"
              },
              {
                "lessThan": "1.5.10",
                "status": "affected",
                "version": "1.5.9",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-32191",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-16T15:55:18.270759Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-16T15:58:10.698Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "github.com/rancher/rke",
          "product": "rke",
          "vendor": "SUSE",
          "versions": [
            {
              "lessThan": "1.4.19",
              "status": "affected",
              "version": "1.4.18",
              "versionType": "semver"
            },
            {
              "lessThan": "1.5.10",
              "status": "affected",
              "version": "1.5.9",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2024-06-17T20:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "When RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin.\u003cbr\u003e"
            }
          ],
          "value": "When RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-922",
              "description": "CWE-922: Insecure Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-16T12:17:02.324Z",
        "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "shortName": "suse"
      },
      "references": [
        {
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32191"
        },
        {
          "url": "https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "rke\u0027s credentials are stored in the RKE1 Cluster state ConfigMap",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
    "assignerShortName": "suse",
    "cveId": "CVE-2023-32191",
    "datePublished": "2024-10-16T12:17:02.324Z",
    "dateReserved": "2023-05-04T08:30:59.321Z",
    "dateUpdated": "2024-10-16T15:58:10.698Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-32191\",\"sourceIdentifier\":\"meissner@suse.de\",\"published\":\"2024-10-16T13:15:12.067\",\"lastModified\":\"2024-10-16T16:38:14.557\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin.\"},{\"lang\":\"es\",\"value\":\"Cuando RKE aprovisiona un cl\u00faster, almacena el estado del cl\u00faster en un mapa de configuraci\u00f3n llamado `full-cluster-state` dentro del espacio de nombres `kube-system` del propio cl\u00faster. La informaci\u00f3n disponible all\u00ed permite que los usuarios que no son administradores escalen a administradores.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"meissner@suse.de\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"meissner@suse.de\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-922\"}]}],\"references\":[{\"url\":\"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32191\",\"source\":\"meissner@suse.de\"},{\"url\":\"https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx\",\"source\":\"meissner@suse.de\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-32191\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-16T15:55:18.270759Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:suse:rke:*:*:*:*:*:*:*:*\"], \"vendor\": \"suse\", \"product\": \"rke\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.4.18\", \"lessThan\": \"1.4.19\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.5.9\", \"lessThan\": \"1.5.10\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-16T15:58:01.775Z\"}}], \"cna\": {\"title\": \"rke\u0027s credentials are stored in the RKE1 Cluster state ConfigMap\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SUSE\", \"product\": \"rke\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.4.18\", \"lessThan\": \"1.4.19\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.5.9\", \"lessThan\": \"1.5.10\", \"versionType\": \"semver\"}], \"packageName\": \"github.com/rancher/rke\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-06-17T20:30:00.000Z\", \"references\": [{\"url\": \"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32191\"}, {\"url\": \"https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"When RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"When RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-922\", \"description\": \"CWE-922: Insecure Storage of Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"404e59f5-483d-4b8a-8e7a-e67604dd8afb\", \"shortName\": \"suse\", \"dateUpdated\": \"2024-10-16T12:17:02.324Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-32191\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-16T15:58:10.698Z\", \"dateReserved\": \"2023-05-04T08:30:59.321Z\", \"assignerOrgId\": \"404e59f5-483d-4b8a-8e7a-e67604dd8afb\", \"datePublished\": \"2024-10-16T12:17:02.324Z\", \"assignerShortName\": \"suse\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2023-32191

Vulnerability from fkie_nvd

Published

2024-10-16 13:15

Modified

2024-10-16 16:38

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

References

▶	URL	Tags
	meissner@suse.de	https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32191
	meissner@suse.de	https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "When RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin."
    },
    {
      "lang": "es",
      "value": "Cuando RKE aprovisiona un cl\u00faster, almacena el estado del cl\u00faster en un mapa de configuraci\u00f3n llamado `full-cluster-state` dentro del espacio de nombres `kube-system` del propio cl\u00faster. La informaci\u00f3n disponible all\u00ed permite que los usuarios que no son administradores escalen a administradores."
    }
  ],
  "id": "CVE-2023-32191",
  "lastModified": "2024-10-16T16:38:14.557",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "meissner@suse.de",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-10-16T13:15:12.067",
  "references": [
    {
      "source": "meissner@suse.de",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32191"
    },
    {
      "source": "meissner@suse.de",
      "url": "https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx"
    }
  ],
  "sourceIdentifier": "meissner@suse.de",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-922"
        }
      ],
      "source": "meissner@suse.de",
      "type": "Secondary"
    }
  ]
}

gsd-2023-32191

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Aliases

CVE-2023-32191

Aliases

CVE-2023-32191

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-32191",
    "id": "GSD-2023-32191"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-32191"
      ],
      "id": "GSD-2023-32191",
      "modified": "2023-12-13T01:20:23.980708Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2023-32191",
        "STATE": "RESERVED"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
          }
        ]
      }
    }
  }
}

wid-sec-w-2024-1397

Vulnerability from csaf_certbund

Published

2024-06-17 22:00

Modified

2024-06-17 22:00

Summary

Rancher: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Rancher ist ein Werkzeug für die Verwaltung von Kubernetes-Container basierten Umgebungen.

Angriff

Ein entfernter authentifizierter Angreifer kann mehrere Schwachstellen in Rancher ausnutzen, um Dateien zu manipulieren, seine Privilegien zu erweitern oder vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Rancher ist ein Werkzeug f\u00fcr die Verwaltung von Kubernetes-Container basierten Umgebungen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter authentifizierter Angreifer kann mehrere Schwachstellen in Rancher ausnutzen, um Dateien zu manipulieren, seine Privilegien zu erweitern oder vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-1397 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1397.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-1397 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1397"
      },
      {
        "category": "external",
        "summary": "Rancher Security Advisory vom 2024-06-17",
        "url": "https://github.com/rancher/rancher/security/advisories/GHSA-64jq-m7rq-768h"
      },
      {
        "category": "external",
        "summary": "Rancher Security Advisory vom 2024-06-17",
        "url": "https://github.com/rancher/rancher/security/advisories/GHSA-q6c7-56cq-g2wm"
      },
      {
        "category": "external",
        "summary": "Rancher Security Advisory vom 2024-06-17",
        "url": "https://github.com/rancher/rancher/security/advisories/GHSA-9ghh-mmcq-8phc"
      },
      {
        "category": "external",
        "summary": "Rancher Security Advisory vom 2024-06-17",
        "url": "https://github.com/advisories/GHSA-6gr4-52w6-vmqx"
      }
    ],
    "source_lang": "en-US",
    "title": "Rancher: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-06-17T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:10:16.608+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-1397",
      "initial_release_date": "2024-06-17T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-06-17T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2.7.14",
                "product": {
                  "name": "Rancher Rancher \u003c2.7.14",
                  "product_id": "T035506"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.8.5",
                "product": {
                  "name": "Rancher Rancher \u003c2.8.5",
                  "product_id": "T035507"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.4.19",
                "product": {
                  "name": "Rancher Rancher \u003c1.4.19",
                  "product_id": "T035508"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.5.10",
                "product": {
                  "name": "Rancher Rancher \u003c1.5.10",
                  "product_id": "T035509"
                }
              }
            ],
            "category": "product_name",
            "name": "Rancher"
          }
        ],
        "category": "vendor",
        "name": "Rancher"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-22650",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Rancher. Dieser Fehler besteht im Authentifizierungsanbieter (AP) aufgrund einer unsachgem\u00e4\u00dfen Bereinigung von gel\u00f6schten Benutzer-Tokens. Ein entfernter authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um Daten zu l\u00f6schen, zu lesen oder zu \u00e4ndern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T035508",
          "T035509"
        ]
      },
      "release_date": "2024-06-17T22:00:00.000+00:00",
      "title": "CVE-2023-22650"
    },
    {
      "cve": "CVE-2023-32196",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Rancher. Dieser Fehler besteht in den RoleTemplate-Objekten aufgrund einer unsachgem\u00e4\u00dfen Privilegienverwaltung. Ein entfernter authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um seine Privilegien zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T035508",
          "T035509"
        ]
      },
      "release_date": "2024-06-17T22:00:00.000+00:00",
      "title": "CVE-2023-32196"
    },
    {
      "cve": "CVE-2023-32191",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Rancher. Dieser Fehler besteht in Kubernetes Engine (RKE), da der Cluster-Status in einer Configmap namens full-cluster-state im kube-system-Namensraum gespeichert wird, die vertrauliche Informationen enth\u00e4lt. Ein entfernter authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um Anmeldedaten zu erhalten und vertrauliche Informationen offenzulegen."
        }
      ],
      "release_date": "2024-06-17T22:00:00.000+00:00",
      "title": "CVE-2023-32191"
    },
    {
      "cve": "CVE-2024-22032",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Rancher. Dieser Fehler besteht in Clustern, die mit RKE1 und aktivierter Verschl\u00fcsselungskonfiguration f\u00fcr Geheimnisse bereitgestellt werden. Wenn die Verschl\u00fcsselung von Geheimnissen aktiviert ist, gleicht der Cluster kontinuierlich ab, was dazu f\u00fchrt, dass geheime Kube-API-Werte im Klartext in die AppliedSpec geschrieben werden. Ein entfernter, authentifizierter Angreifer mit RBAC-Berechtigungen kann diese Schwachstelle ausnutzen, um Zugriff auf die gesamte, f\u00fcr den Cluster spezifische Secrets-Encryption-Konfiguration zu erhalten."
        }
      ],
      "product_status": {
        "known_affected": [
          "T035508",
          "T035509"
        ]
      },
      "release_date": "2024-06-17T22:00:00.000+00:00",
      "title": "CVE-2024-22032"
    }
  ]
}

ghsa-6gr4-52w6-vmqx

Vulnerability from github

Published

2024-06-17 22:30

Modified

2024-10-16 17:26

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

rke's credentials are stored in the RKE1 Cluster state ConfigMap

Details

Impact

When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include the following sensitive data:

RancherKubernetesEngineConfig
RKENodeConfig
- SSH username
- SSH private key
- SSH private key path
RKEConfigServices
- ETCDService
  - External client key
  - BackupConfig
    - S3BackupConfig
      - AWS access key
      - AWS secret key
- KubeAPIService
  - SecretsEncryptionConfig
    - K8s encryption configuration (contains encryption keys)
PrivateRegistries
- User
- Password
- ECRCredentialPlugin
  - AWS access key
  - AWS secret key
  - AWS session token
CloudProvider
- AzureCloudProvider
  - AAD client ID
  - AAD client secret
  - AAD client cert password
- OpenstackCloudProvider
  - Username
  - User ID
  - Password
- VsphereCloudProvider
  - GlobalVsphereOpts
    - User
    - Password
  - VirtualCenterConfig
    - User
    - Password
- HarvesterCloudProvider
  - CloudConfig
- CustomCloudProvider
BastionHost
- User
- SSH key
CertificatesBundle
Private key
EncryptionConfig
Private key

The State type that contains the above info and more can viewed here.

While the full-cluster-state configmap is not publicly available (reading it requires access to the RKE cluster), it being a configmap makes it available to non-administrators of the cluster. Because this configmap contains essentially all the information and credentials required to administer the cluster, anyone with permission to read it thereby achieves admin-level access to the cluster (please consult the MITRE ATT&CK - Technique - Unsecured Credentials : Credentials In Files for further information about the associated technique of attack).

Important: For the exposure of credentials not related to Rancher and RKE, the final impact severity for confidentiality, integrity and availability is dependent on the permissions the leaked credentials have on their services.

It is recommended to review for potentially leaked credentials in this scenario and to change them if deemed necessary.

Patches

This vulnerability is being fixed in RKE versions 1.4.19 and 1.5.10 which are included in Rancher versions 2.7.14 and 2.8.5.

The patches include changes that will cause RKE to automatically migrate the cluster state configmap to a full-cluster-state secret in the kube-system namespace. The migrated secret will only be accessible to those who have read access to the kube-system namespace in the downstream RKE cluster. In Rancher, only admin and cluster-owner roles can access the secret. The old configmap will be removed after successful migration.

All downstream clusters provisioned using RKE via Rancher will be migrated automatically on Rancher upgrade. Note that any downstream clusters that are unavailable or otherwise non migratable on Rancher upgrade will still be migrated automatically as soon as they become available.

Clusters provisioned using RKE outside of Rancher will be migrated automatically upon the next invocation of rke up (i.e. the next cluster reconciliation) after upgrading RKE.

If a rollback needs to be performed after an upgrade to a patched Rancher or RKE version, downstream RKE clusters that were migrated need to have their migrations manually reversed using this script: https://github.com/rancherlabs/support-tools/tree/master/reverse-rke-state-migrations. Please be sure to back up downstream clusters before performing the reverse migration.

Workarounds

There are no workarounds for this issue. Users are recommended to upgrade, as soon as possible, to a version of RKE/Rancher Manager which contains the fixes.

Users should not attempt to perform this migration manually without upgrading their RKE/Rancher versions as only post-patch versions of RKE are capable of reading the cluster state from a secret instead of a configmap. In other words, migrating the cluster state to a secret without upgrading RKE/Rancher would cause RKE to be unable to read the cluster state, making it incapable of managing the cluster until an RKE/Rancher upgrade is performed.

For more information

If you have any questions or comments about this advisory:

Reach out to the SUSE Rancher Security team for security related inquiries.
Open an issue in the Rancher repository.
Verify our support matrix and product support life cycle.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rke"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.18"
            },
            {
              "fixed": "1.4.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rke"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.9"
            },
            {
              "fixed": "1.5.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32191"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-17T22:30:48Z",
    "nvd_published_at": "2024-10-16T13:15:12Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nWhen RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include the following sensitive data:\n\n- RancherKubernetesEngineConfig\n   - RKENodeConfig\n       - SSH username\n       - SSH private key\n       - SSH private key path\n   - RKEConfigServices\n       - ETCDService\n           - External client key\n           - BackupConfig\n               - S3BackupConfig\n                   - AWS access key\n                   - AWS secret key\n       - KubeAPIService\n           - SecretsEncryptionConfig\n               - K8s encryption configuration (contains encryption keys)\n   - PrivateRegistries\n       - User\n       - Password\n       - ECRCredentialPlugin\n           - AWS access key\n           - AWS secret key\n           - AWS session token\n   - CloudProvider\n       - AzureCloudProvider\n           - AAD client ID\n           - AAD client secret\n           - AAD client cert password\n       - OpenstackCloudProvider\n           - Username\n           - User ID\n           - Password\n       - VsphereCloudProvider\n           - GlobalVsphereOpts\n               - User\n               - Password\n           - VirtualCenterConfig\n               - User\n               - Password\n       - HarvesterCloudProvider\n           - CloudConfig\n       - CustomCloudProvider\n   - BastionHost\n       - User\n       - SSH key\n- CertificatesBundle\n   - Private key\n- EncryptionConfig\n   - Private key\n\n\nThe `State` type that contains the above info and more can viewed [here](https://github.com/rancher/rke/blob/8714c3c06e0bad55c61684fd5d94f1481128c58d/cluster/state.go#L37).\n\nWhile the `full-cluster-state` configmap is not publicly available (reading it requires access to the RKE cluster), it being a configmap makes it available to non-administrators of the cluster. Because this configmap contains essentially all the information and credentials required to administer the cluster, anyone with permission to read it thereby achieves admin-level access to the cluster (please consult the [MITRE ATT\u0026CK - Technique - Unsecured Credentials : Credentials In Files](https://attack.mitre.org/techniques/T1552/001/) for further information about the associated technique of attack).\n\n\n**Important:**\nFor the exposure of credentials not related to Rancher and RKE, the final impact severity for confidentiality, integrity and availability is dependent on the permissions the leaked credentials have on their services. \n\n\nIt is recommended to review for potentially leaked credentials in this scenario and to change them if deemed necessary.\n\n\n### Patches\n\nThis vulnerability is being fixed in RKE versions `1.4.19` and `1.5.10` which are included in Rancher versions `2.7.14` and `2.8.5`.\n\n\nThe patches include changes that will cause RKE to automatically migrate the cluster state configmap to a `full-cluster-state` secret in the `kube-system` namespace. The migrated secret will only be accessible to those who have read access to the `kube-system` namespace in the downstream RKE cluster. In Rancher, only admin and cluster-owner roles can access the secret. The old configmap will be removed after successful migration.\n\n\nAll downstream clusters provisioned using RKE via Rancher will be migrated automatically on Rancher upgrade. Note that any downstream clusters that are unavailable or otherwise non migratable on Rancher upgrade will still be migrated automatically as soon as they become available.\n\n\nClusters provisioned using RKE outside of Rancher will be migrated automatically upon the next invocation of `rke up` (i.e. the next cluster reconciliation) after upgrading RKE.\n\n\nIf a rollback needs to be performed after an upgrade to a patched Rancher or RKE version, downstream RKE clusters that were migrated need to have their migrations manually reversed using this script: https://github.com/rancherlabs/support-tools/tree/master/reverse-rke-state-migrations. \n**Please be sure to back up downstream clusters before performing the reverse migration**.\n\n\n### Workarounds\n\nThere are no workarounds for this issue. Users are recommended to upgrade, as soon as possible, to a version of RKE/Rancher Manager which contains the fixes.\n\n\nUsers should not attempt to perform this migration manually without upgrading their RKE/Rancher versions as only post-patch versions of RKE are capable of reading the cluster state from a secret instead of a configmap. In other words, migrating the cluster state to a secret without upgrading RKE/Rancher would cause RKE to be unable to read the cluster state, making it incapable of managing the cluster until an RKE/Rancher upgrade is performed.\n\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support life cycle](https://www.suse.com/lifecycle/).\n",
  "id": "GHSA-6gr4-52w6-vmqx",
  "modified": "2024-10-16T17:26:10Z",
  "published": "2024-06-17T22:30:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32191"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rke/commit/cf49199481a1891909acb1384eed73a5c987d5bd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rke/commit/f7485b8dce376db0fc15a7c3ceb3de7029c8d0cf"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32191"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rancher/rke"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "rke\u0027s credentials are stored in the RKE1 Cluster state ConfigMap"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-32191 (GCVE-0-2023-32191)

Vulnerability from cvelistv5

fkie_cve-2023-32191

Vulnerability from fkie_nvd

gsd-2023-32191

Vulnerability from gsd

wid-sec-w-2024-1397

Vulnerability from csaf_certbund

ghsa-6gr4-52w6-vmqx

Vulnerability from github

Impact

Patches

Workarounds

For more information

Tags

Sightings

Nomenclature