Listen to this Post
How the mentioned CVE works (technical details):
The vulnerability exists in the SUSE Virtualization (Harvester) registration client used for cluster registration with Rancher Manager. By default, the client initializes a TLS connection with the `InsecureSkipVerify` flag set to `true` or an equivalent option that disables certificate validation. This allows any TLS certificate – including self-signed, expired, or maliciously issued ones – to be accepted during the handshake.
An attacker positioned between the Harvester node and Rancher Manager (man-in-the-middle) can intercept the registration request. Because the client does not verify the remote server’s certificate chain against the system’s trusted CA store or any user-provided `additional-ca` certificates, the attacker can present a spoofed certificate and complete the TLS handshake. The client then sends its cluster registration payload (containing node identity and credentials) to the attacker’s impersonated service instead of the genuine Rancher Manager.
Furthermore, the registration client lacks input size validation on response payloads. A malicious server – or a MitM attacker who has already hijacked the session – can send an oversized or malformed response. The client copies this response into a fixed-size memory buffer without bounds checking, causing a heap or stack buffer overflow. This overflow typically leads to a crash of the `harvester-registration-controller` process, but under specific conditions may allow arbitrary code execution. The crash results in a denial-of-service (DoS) of the registration functionality, preventing the Harvester cluster from connecting to or renewing its registration with Rancher Manager.
The affected component is the `cluster-registration-url` configuration path – a separate channel from the main operational TLS connection between Harvester and Rancher, meaning secured management traffic remains encrypted, but the initial registration handshake is vulnerable. Attackers require network-level access to the traffic between the two systems (e.g., same broadcast domain, spoofed ARP, or compromised router).
dailycve form:
Platform: SUSE Virtualization
Version: <1.8.0
Vulnerability: MitM + overflow
Severity: Critical
date: 2025-01-21 (assumed disclosure)
Prediction: Already patched (v1.8.0)
What Undercode Say:
Check current Harvester registration client configuration
kubectl get settings cluster-registration-url -n harvester-system -o yaml
Simulate insecure TLS behaviour (example using curl with -k)
curl -k https://<rancher-manager-ip>/v3/register
Verify certificate validation is disabled in registration controller logs
grep "InsecureSkipVerify" /var/log/harvester/registration-controller.log
Test for buffer overflow by sending oversized response (conceptual)
python3 -c "print('X'10000)" | nc -l -p 8443 -q 1
Upgrade to patched version v1.8.0
helm upgrade harvester harvester/harvester --version 1.8.0 --namespace harvester-system
Exploit:
An attacker with network access between Harvester and Rancher performs ARP spoofing or DNS hijacking to redirect registration traffic. They establish a TLS listener on port 8443 presenting a fake certificate (e.g., using openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 1 -nodes). When Harvester registration client connects, the client accepts the fake cert due to InsecureSkipVerify. The attacker then sends a crafted oversized JSON response (e.g., {"token":"A"16384}) causing a buffer overflow crash in the registration controller, preventing legitimate registration.
Protection from this CVE:
- Upgrade to SUSE Virtualization v1.8.0 or newer (patched certificate validation).
- If upgrading not possible, restrict access to the `cluster-registration-url` setting to authorized cluster administrators via RBAC:
`kubectl edit role harvester-settings -n harvester-system` and remove “ verbs. - Deploy network policies to isolate Harvester–Rancher traffic, e.g.,
`calico networkpolicy allow only specific IPs`.
- Use eBPF or iptables to enforce TLS inspection at gateway level.
Impact:
Successful MitM allows an attacker to steal cluster registration tokens, impersonate Rancher Manager, and potentially cause denial-of-service of the registration controller. Overwrite of memory may lead to remote code execution on the Harvester node. The operational cluster management (after registration) remains unaffected, but new cluster joins or re-registrations are blocked or hijacked.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
