Listen to this Post
The vulnerability (CVE-2024-39931) exists within Rancher Fleet’s handling of Helm chart deployments. When sensitive data like credentials is passed via the `BundleDeployment.Spec.Options.Helm.Values` field, Fleet stores this data directly within the BundleDeployment custom resource definition (CRD) in the Kubernetes datastore. Unlike native Helm v3, which stores release values in encrypted Secrets, Fleet does not enable Kubernetes encryption at rest for these CRDs by default. Consequently, any user with basic LIST or GET permissions on BundleDeployment objects can retrieve the entire Helm values payload, including any embedded secrets, via standard Kubernetes API calls. This exposes credentials in both the etcd storage and in API responses, leading to a critical information disclosure flaw.
Platform: Rancher Fleet
Version: <v0.11.10, <v0.12.6, <v0.13.1, <v0.14.0
Vulnerability: Plaintext Secret Storage
Severity: Critical
date: 2024
Prediction: 2024-10-15
What Undercode Say:
`kubectl get bundledeployments.fleet.cattle.io -o yaml`
`grep -A 20 “helm:”`
`fleet apply -f bundle.yaml`
How Exploit:
`kubectl get bundledeployments -A`
`kubectl get bundledeployment
Protection from this CVE
Upgrade Fleet immediately.
Rotate all exposed secrets.
Review BundleDeployment permissions.
Impact:
Sensitive Data Disclosure
Credential Leakage
Privilege Escalation Potential
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
