Vulnerabilities > CVE-2019-12274 - Missing Authorization vulnerability in Suse Rancher

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
suse
CWE-862
nessus

Summary

In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMisc.
    NASL idRANCHER_CVE-2019-12303.NASL
    descriptionIn Rancher 2 through 2.2.3, Project owners can inject additional fluentd configuration to read files or execute arbitrary commands inside the fluentd container. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id128057
    published2019-08-22
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128057
    titleRancher 2.0.x < 2.0.15 / 2.1.x < 2.1.10 / 2.2.x < 2.2.4 Command Injection Vulnerability
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128057);
      script_version("1.2");
      script_cvs_date("Date: 2019/10/17 14:31:04");
    
      script_cve_id("CVE-2019-12303");
    
      script_name(english:"Rancher 2.0.x < 2.0.15 / 2.1.x < 2.1.10 / 2.2.x < 2.2.4 Command Injection Vulnerability");
      script_summary(english:"Checks version of Rancher.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A Docker container of Rancher installed on the remote host is missing a security patch.");
      script_set_attribute(attribute:"description", value:
    "In Rancher 2 through 2.2.3, Project owners can inject additional fluentd configuration to read files or execute 
    arbitrary commands inside the fluentd container.
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version 
    number.");
      # https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?76c65d4b");
      # https://github.com/rancher/rancher/releases/tag/v2.2.4
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?972b6c60");
      # https://github.com/rancher/rancher/releases/tag/v2.1.10
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?48cf906b");
      # https://github.com/rancher/rancher/releases/tag/v2.0.15
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3693a71b");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to version 2.0.15 / 2.1.10 / 2.2.4 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12303");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/06/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/22");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/a:rancher_labs:rancher");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("rancher_local_detection.nbin", "rancher_web_ui_detect.nbin");
      script_require_keys("installed_sw/Rancher", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include('vcf.inc');
    include('vcf_extras.inc');
    
    app = 'Rancher';
    
    get_install_count(app_name:app, exit_if_zero:TRUE);
    app_info = vcf::combined_get_app_info(app:app);
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    constraints = [
      {'min_version'   : '2.0.0',  'fixed_version' : '2.0.15'},
      {'min_version'   : '2.1.0',  'fixed_version' : '2.1.10'},
      {'min_version'   : '2.2.0',  'fixed_version' : '2.2.4'}
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
  • NASL familyMisc.
    NASL idRANCHER_CVE-2019-12274.NASL
    descriptionIn Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id128056
    published2019-08-22
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128056
    titleRancher 1.6.x < 1.6.28 / 2.0.x < 2.0.15 / 2.1.x < 2.1.10 / 2.2.x < 2.2.4 Arbitrary Files Read Vulnerability
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128056);
      script_version("1.2");
      script_cvs_date("Date: 2019/10/17 14:31:04");
    
      script_cve_id("CVE-2019-12274");
    
      script_name(english:"Rancher 1.6.x < 1.6.28 / 2.0.x < 2.0.15 / 2.1.x < 2.1.10 / 2.2.x < 2.2.4 Arbitrary Files Read Vulnerability");
      script_summary(english:"Checks version of Rancher.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A Docker container of Rancher installed on the remote host is missing a security patch.");
      script_set_attribute(attribute:"description", value:
    "In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the 
    Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The 
    problem is that a user could choose to post a sensitive file such as /root/.kube/config or 
    /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version 
    number.");
      # https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?76c65d4b");
      # https://github.com/rancher/rancher/releases/tag/v2.2.4
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?972b6c60");
      # https://github.com/rancher/rancher/releases/tag/v2.1.10
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?48cf906b");
      # https://github.com/rancher/rancher/releases/tag/v2.0.15
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3693a71b");
      # https://github.com/rancher/rancher/releases/tag/v1.6.28
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f2d277a3");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to version 1.6.28 / 2.0.15 / 2.1.10 / 2.2.4 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12274");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/06/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/22");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/a:rancher_labs:rancher");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("rancher_local_detection.nbin", "rancher_web_ui_detect.nbin");
      script_require_keys("installed_sw/Rancher", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include('vcf.inc');
    include('vcf_extras.inc');
    
    app = 'Rancher';
    
    get_install_count(app_name:app, exit_if_zero:TRUE);
    app_info = vcf::combined_get_app_info(app:app);
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    constraints = [
      {'min_version'   : '1.6.0',  'fixed_version' : '1.6.28'},
      {'min_version'   : '2.0.0',  'fixed_version' : '2.0.15'},
      {'min_version'   : '2.1.0',  'fixed_version' : '2.1.10'},
      {'min_version'   : '2.2.0',  'fixed_version' : '2.2.4'}
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);