Listen to this Post
The vulnerability in Rancher Manager involves a flaw in the Rancher CLI login command when self-signed CA certificates are used. Specifically, when the `–skip-verify` flag is passed without the `–cacert` flag, the CLI erroneously attempts to fetch CA certificates from Rancher’s internal `cacerts` setting. This behavior is intended only for the login command and no other CLI commands. Normally, `–skip-verify` should disable TLS certificate verification entirely, but in this case, the CLI still tries to retrieve CA certificates from the server. An attacker with network-level access between the CLI and Rancher Manager can exploit this by intercepting the TLS handshake. They can manipulate the connection to return a CA certificate under their control, effectively bypassing TLS security. This man-in-the-middle (MITM) attack allows the attacker to decrypt traffic, view basic authentication headers, and potentially gain unauthorized access. The vulnerability stems from the improper handling of certificate validation states when flags are combined. Even with --skip-verify, the fetch mechanism for `cacerts` is triggered, creating a window for interference. This contradicts the expected behavior where `–skip-verify` should prevent any certificate checks. The issue is mitigated in patched versions by removing the `cacerts` fetch capability during login, forcing explicit use of `–cacert` for self-signed certificates. This ensures TLS enforcement and prevents certificate substitution attacks.
Platform: Rancher Manager
Version: v2.10.11-v2.13.2
Vulnerability: TLS bypass MITM
Severity: Critical
date: Unknown
Prediction: Patched versions available
What Undercode Say:
Analytics:
rancher login https://server --skip-verify rancher login https://server --cacert cert.pem curl -k https://rancher-server/v3/settings/cacerts strings rancher-cli | grep cacerts
How Exploit:
Attacker intercepts CLI-Manager traffic, injects malicious CA during TLS handshake when –skip-verify used without –cacert, decrypts auth headers.
Protection from this CVE
Upgrade to patched versions; always use –cacert with self-signed certificates; avoid –skip-verify alone.
Impact:
MITM attacks possible, TLS bypassed, authentication headers exposed.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

