Rancher Manager, TLS Certificate Validation Bypass, No CVE Specified (Critical)

Listen to this Post

The vulnerability in Rancher Manager involves a flaw in the Rancher CLI login command when self-signed CA certificates are used. Specifically, when the `–skip-verify` flag is passed without the `–cacert` flag, the CLI erroneously attempts to fetch CA certificates from Rancher’s internal `cacerts` setting. This behavior is intended only for the login command and no other CLI commands. Normally, `–skip-verify` should disable TLS certificate verification entirely, but in this case, the CLI still tries to retrieve CA certificates from the server. An attacker with network-level access between the CLI and Rancher Manager can exploit this by intercepting the TLS handshake. They can manipulate the connection to return a CA certificate under their control, effectively bypassing TLS security. This man-in-the-middle (MITM) attack allows the attacker to decrypt traffic, view basic authentication headers, and potentially gain unauthorized access. The vulnerability stems from the improper handling of certificate validation states when flags are combined. Even with --skip-verify, the fetch mechanism for `cacerts` is triggered, creating a window for interference. This contradicts the expected behavior where `–skip-verify` should prevent any certificate checks. The issue is mitigated in patched versions by removing the `cacerts` fetch capability during login, forcing explicit use of `–cacert` for self-signed certificates. This ensures TLS enforcement and prevents certificate substitution attacks.
Platform: Rancher Manager
Version: v2.10.11-v2.13.2
Vulnerability: TLS bypass MITM
Severity: Critical
date: Unknown

Prediction: Patched versions available

What Undercode Say:

Analytics:

rancher login https://server --skip-verify
rancher login https://server --cacert cert.pem
curl -k https://rancher-server/v3/settings/cacerts
strings rancher-cli | grep cacerts

How Exploit:

Attacker intercepts CLI-Manager traffic, injects malicious CA during TLS handshake when –skip-verify used without –cacert, decrypts auth headers.

Protection from this CVE

Upgrade to patched versions; always use –cacert with self-signed certificates; avoid –skip-verify alone.

Impact:

MITM attacks possible, TLS bypassed, authentication headers exposed.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top