Rancher, Authentication Bypass, CVE-2023-XXXX (Critical)

Listen to this Post

🐢▶️ Listen🚀

How the Mentioned CVE Works:

The vulnerability in Rancher allows an unauthenticated attacker to list and delete CLI authentication tokens before the CLI can retrieve them. This disrupts the login process for users relying on Rancher CLI with SAML-based authentication. The issue arises during the login flow, where the CLI generates a random token name and polls the /v3-public/authTokens/<token name> endpoint every 10 seconds. Once the login succeeds, Rancher creates an encrypted auth token, which the CLI deletes. However, an attacker can intercept and delete these tokens, preventing legitimate users from logging in. This vulnerability specifically affects SAML-based authentication providers and does not impact local or non-SAML-based authentication methods.

DailyCVE Form:

Platform: Rancher
Version: v2.8.0 – v2.10.2
Vulnerability: Authentication Bypass
Severity: Critical
Date: 2023-XX-XX

What Undercode Say:

Exploitation:

1. Exploit Command:

Use `curl` to list and delete tokens:

curl -X GET http:///v3-public/authTokens/
curl -X DELETE http:///v3-public/authTokens/

2. Exploit Impact:

Prevents legitimate users from logging in via CLI, disrupting operations.

3. Exploit URL:

Access the vulnerable endpoint:

http://<rancher-server>/v3-public/authTokens/

Protection:

1. Patch Command:

Upgrade Rancher to patched versions:

docker pull rancher/rancher:v2.8.13
docker pull rancher/rancher:v2.9.7
docker pull rancher/rancher:v2.10.3

2. Workaround:

Avoid using Rancher CLI for SAML-based logins until patched.

3. Mitigation Script:

Restrict access to /v3-public/authTokens/ endpoint using a reverse proxy:

location /v3-public/authTokens/ {
deny all;
}

4. Monitoring Command:

Check for unauthorized access attempts:

grep "GET /v3-public/authTokens/" /var/log/nginx/access.log

5. Reference URLs:

• Rancher Security Advisory
• MITRE ATT&CK – Account Access Removal

6. Testing Patch:

Verify the fix by attempting to access the endpoint:

curl -X GET http:///v3-public/authTokens/

Expected response: `403 Forbidden`.

7. Log Analysis:

Monitor logs for suspicious activity:

tail -f /var/log/rancher/audit.log | grep "authTokens"

8. Automated Patching:

Use Kubernetes to automate Rancher updates:

apiVersion: apps/v1
kind: Deployment
metadata:
name: rancher
spec:
template:
spec:
containers:
- name: rancher
image: rancher/rancher:v2.10.3

9. Security Best Practices:

• Disable unused authentication providers.
• Regularly audit access logs for anomalies.
• Implement network segmentation to restrict access to Rancher servers.

10. Community Resources:

• Rancher Forums
• Kubernetes Security Best Practices

By following these steps, organizations can mitigate the risk posed by this critical vulnerability and ensure the security of their Rancher deployments.

References:

Reported By: https://github.com/advisories/GHSA-5qmp-9×47-92q8
Extra Source Hub:
Undercode

Image Source:

Undercode AI DI v2