Listen to this Post
How the CVE Works
The vulnerability in Rancher allows a user with project creation rights to escalate privileges by creating a project with the same name as an existing project in another cluster. This occurs because Rancher uses the project name as the namespace for storing resources like ProjectRoleTemplateBindings (PRTBs) and secrets. When a duplicate project name is created, the attacker gains unintended access to the original project in the other cluster. The flaw stems from improper namespace isolation, enabling cross-cluster access.
Patched versions enforce a new `backingNamespace` field, ensuring unique namespaces by combining cluster and project names. Unpatched systems remain vulnerable to this namespace collision attack, leading to unauthorized privilege escalation.
DailyCVE Form
Platform: Rancher
Version: <2.11.1, <2.10.5, <2.9.9
Vulnerability: Privilege Escalation
Severity: Critical
Date: 2023-01-01
What Undercode Say:
Exploitation:
- Attacker creates a project with a duplicate name in Cluster B:
rancher projects create --cluster-id <clusterB> existing-project
2. Verify namespace collision:
kubectl get ns existing-project -o yaml
3. Access secrets from Cluster A:
kubectl get secrets -n existing-project
Mitigation:
1. Upgrade to patched versions:
helm upgrade rancher rancher-latest/rancher --version 2.11.1
2. Enforce unique project names:
rancher projects ls --all-namespaces
3. Manual cleanup of duplicate projects:
kubectl delete project existing-project --cluster=<clusterB>
Detection:
1. Scan for duplicate projects:
kubectl get projects -A -o jsonpath='{.items[].metadata.name}' | tr ' ' '\n' | sort | uniq -d
2. Monitor project creation logs:
kubectl logs -n cattle-system -l app=rancher | grep "project creation"
Code Fix (Webhook Snippet):
func mutateProject(project v3.Project) {
if project.Status.BackingNamespace == "" {
project.Status.BackingNamespace = safeConcatName(project.Spec.ClusterName, project.Name)
}
}
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
