A significant security flaw has been identified in SUSE Rancher’s user management module, posing a substantial risk to administrative control over Kubernetes clusters. This vulnerability, designated as CVE-2024-58260, enables users with specific privileges to alter the usernames of other accounts, potentially leading to the complete lockout of administrative access. The affected versions include Rancher Manager from 2.9.0 through 2.12.1. Organizations utilizing these versions are strongly advised to upgrade promptly or implement necessary mitigations to prevent unauthorized disruptions to cluster management.
Understanding the Vulnerability
SUSE Rancher employs a Role-Based Access Control (RBAC) system that relies on unique usernames for authentication. However, a critical oversight in this system allows for the modification of usernames post-account creation. This flaw can be exploited by an attacker with update permissions on user resources to change the username of a target account. By altering the administrator’s username, the attacker can effectively prevent the legitimate admin from logging in, thereby seizing control over the cluster.
Technical Exploitation
An attacker can exploit this vulnerability by sending a crafted API request to change the username of the admin account. For example:
“`json
{
id: user-abc123,
type: user,
username: new-admin-username
}
“`
In this scenario, the attacker’s new identifier takes precedence, rendering the original admin user unable to authenticate. This exploit not only facilitates account lockout but also allows for the arbitrary renaming of any user, enabling the attacker to assign high-privilege usernames to malicious accounts.
Risk Assessment
The vulnerability presents several risk factors:
– Affected Products: Rancher Manager versions 2.9.0 through 2.12.1.
– Impact: Potential for account lockout, preventing admin and UI login.
– Exploit Prerequisites: Requires a valid Rancher account with update permissions on the User API.
– CVSS 3.1 Score: Rated at 7.6, indicating a high severity level.
Mitigation Strategies
To address this vulnerability, SUSE Rancher has released patched versions that enforce server-side validation on the `.username` field, making usernames immutable after initial creation. The patched versions are as follows:
– 2.12.0–2.12.1 → 2.12.2
– 2.11.0–2.11.5 → 2.11.6
– 2.10.0–2.10.9 → 2.10.10
– 2.9.0–2.9.11 → 2.9.12
Administrators can upgrade to the latest version using the following command:
“`bash
helm upgrade rancher rancher-latest/rancher –namespace cattle-system –set rancherImageTag=v2.x.x
“`
For environments where immediate upgrading is not feasible, it is recommended to:
– Audit RBAC Policies: Restrict update permissions on user resources to trusted operators only.
– Enable Detailed Audit Logging: Monitor and respond to suspicious API calls, particularly `PUT /v3/users` requests.
Conclusion
By promptly addressing this high-severity issue, organizations can safeguard the integrity of their Rancher UI and prevent potential denial-of-service attacks against critical administrative accounts. Continuous monitoring of global RBAC settings and the timely adoption of security patches are essential best practices for securing container management platforms.
