Vulnerabilities > CVE-2019-12274 - Missing Authorization vulnerability in Suse Rancher
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Misc. NASL id RANCHER_CVE-2019-12303.NASL description In Rancher 2 through 2.2.3, Project owners can inject additional fluentd configuration to read files or execute arbitrary commands inside the fluentd container. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 128057 published 2019-08-22 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128057 title Rancher 2.0.x < 2.0.15 / 2.1.x < 2.1.10 / 2.2.x < 2.2.4 Command Injection Vulnerability code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(128057); script_version("1.2"); script_cvs_date("Date: 2019/10/17 14:31:04"); script_cve_id("CVE-2019-12303"); script_name(english:"Rancher 2.0.x < 2.0.15 / 2.1.x < 2.1.10 / 2.2.x < 2.2.4 Command Injection Vulnerability"); script_summary(english:"Checks version of Rancher."); script_set_attribute(attribute:"synopsis", value: "A Docker container of Rancher installed on the remote host is missing a security patch."); script_set_attribute(attribute:"description", value: "In Rancher 2 through 2.2.3, Project owners can inject additional fluentd configuration to read files or execute arbitrary commands inside the fluentd container. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?76c65d4b"); # https://github.com/rancher/rancher/releases/tag/v2.2.4 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?972b6c60"); # https://github.com/rancher/rancher/releases/tag/v2.1.10 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?48cf906b"); # https://github.com/rancher/rancher/releases/tag/v2.0.15 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3693a71b"); script_set_attribute(attribute:"solution", value: "Upgrade to version 2.0.15 / 2.1.10 / 2.2.4 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12303"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/05"); script_set_attribute(attribute:"patch_publication_date", value:"2019/06/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/22"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:rancher_labs:rancher"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("rancher_local_detection.nbin", "rancher_web_ui_detect.nbin"); script_require_keys("installed_sw/Rancher", "Settings/ParanoidReport"); exit(0); } include('vcf.inc'); include('vcf_extras.inc'); app = 'Rancher'; get_install_count(app_name:app, exit_if_zero:TRUE); app_info = vcf::combined_get_app_info(app:app); if (report_paranoia < 2) audit(AUDIT_PARANOID); constraints = [ {'min_version' : '2.0.0', 'fixed_version' : '2.0.15'}, {'min_version' : '2.1.0', 'fixed_version' : '2.1.10'}, {'min_version' : '2.2.0', 'fixed_version' : '2.2.4'} ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);NASL family Misc. NASL id RANCHER_CVE-2019-12274.NASL description In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 128056 published 2019-08-22 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128056 title Rancher 1.6.x < 1.6.28 / 2.0.x < 2.0.15 / 2.1.x < 2.1.10 / 2.2.x < 2.2.4 Arbitrary Files Read Vulnerability code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(128056); script_version("1.2"); script_cvs_date("Date: 2019/10/17 14:31:04"); script_cve_id("CVE-2019-12274"); script_name(english:"Rancher 1.6.x < 1.6.28 / 2.0.x < 2.0.15 / 2.1.x < 2.1.10 / 2.2.x < 2.2.4 Arbitrary Files Read Vulnerability"); script_summary(english:"Checks version of Rancher."); script_set_attribute(attribute:"synopsis", value: "A Docker container of Rancher installed on the remote host is missing a security patch."); script_set_attribute(attribute:"description", value: "In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?76c65d4b"); # https://github.com/rancher/rancher/releases/tag/v2.2.4 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?972b6c60"); # https://github.com/rancher/rancher/releases/tag/v2.1.10 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?48cf906b"); # https://github.com/rancher/rancher/releases/tag/v2.0.15 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3693a71b"); # https://github.com/rancher/rancher/releases/tag/v1.6.28 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f2d277a3"); script_set_attribute(attribute:"solution", value: "Upgrade to version 1.6.28 / 2.0.15 / 2.1.10 / 2.2.4 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12274"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/05"); script_set_attribute(attribute:"patch_publication_date", value:"2019/06/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/22"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:rancher_labs:rancher"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("rancher_local_detection.nbin", "rancher_web_ui_detect.nbin"); script_require_keys("installed_sw/Rancher", "Settings/ParanoidReport"); exit(0); } include('vcf.inc'); include('vcf_extras.inc'); app = 'Rancher'; get_install_count(app_name:app, exit_if_zero:TRUE); app_info = vcf::combined_get_app_info(app:app); if (report_paranoia < 2) audit(AUDIT_PARANOID); constraints = [ {'min_version' : '1.6.0', 'fixed_version' : '1.6.28'}, {'min_version' : '2.0.0', 'fixed_version' : '2.0.15'}, {'min_version' : '2.1.0', 'fixed_version' : '2.1.10'}, {'min_version' : '2.2.0', 'fixed_version' : '2.2.4'} ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
References
- https://forums.rancher.com/c/announcements
- https://forums.rancher.com/c/announcements
- https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466
- https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466