Listen to this Post
The vulnerability exists in the `/meta/proxy` endpoint of Rancher Manager. When creating a new cloud credential, the endpoint forwards requests to external cloud provider domains (e.g., amazonaws.com). Crucially, it incorrectly forwards all HTTP headers from the original user request, including `Impersonate-Extra-` headers. These headers are used internally by Rancher for user impersonation and can contain sensitive data, such as email addresses, if the authentication provider is configured to include them in the username or principal ID. The sensitive information is leaked to the whitelisted external domains of the node driver being used, like AWS or DigitalOcean. The patch resolves the issue by implementing a filter on the `/meta/proxy` endpoint to strip all `Impersonate-` headers before the request is proxied to the external entity.
Platform: Rancher Manager
Version: <2.9.12, <2.10.10, <2.11.6, <2.12.2
Vulnerability : Information Disclosure
Severity: Medium
date: 2023-01-18
Prediction: 2023-01-18 (Patched)
What Undercode Say:
curl -H "Impersonate-Extra-Username: [email protected]" -H "Authorization: Bearer <rancher-token>" https://<rancher-server>/meta/proxy/iam.amazonaws.com/
// Vulnerable code snippet (simplified)
func proxyHandler(w http.ResponseWriter, r http.Request) {
targetURL := extractTargetURL(r)
proxyReq, _ := http.NewRequest(r.Method, targetURL, r.Body)
// Copies all headers, including dangerous Impersonate-Extra-
for header, values := range r.Header {
for _, value := range values {
proxyReq.Header.Add(header, value)
}
}
// ... send proxyReq to external domain
}
How Exploit:
An attacker with a standard user account can create a cloud credential. During this process, Rancher sends a proxied request to a cloud provider’s API. The attacker cannot directly control the headers, but if their authenticated identity (e.g., from an LDAP provider) contains an email address, it is automatically included in the `Impersonate-Extra-Username` header. This header is then leaked to the external cloud provider domain.
Protection from this CVE
Upgrade to Rancher Manager v2.12.2, v2.11.6, v2.10.10, or v2.9.12. These versions filter out `Impersonate-` headers before proxying the request.
Impact:
Sensitive information disclosure (email addresses, principal IDs) to third-party cloud providers. No authentication tokens or passwords are leaked.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
