Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability exists in the Rancher CLI login command when using self-signed CA certificates combined with the -skip-verify flag without also specifying the --cacert flag. Under these conditions, the CLI attempts to fetch CA certificates from Rancher Manager's stored settings (cacerts). An attacker with network-level access can manipulate this process, supplying malicious CA certificates and bypassing TLS security controls. This effectively disables proper TLS verification, exposing the communication to man-in-the-middle attacks and compromising secure communications."}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to serious security impacts including the compromise of confidentiality, integrity, and availability of communications between the Rancher CLI and Rancher Manager. An attacker could perform man-in-the-middle attacks by supplying malicious CA certificates, intercepting or altering sensitive data such as authentication headers. This can result in unauthorized access, data breaches, and disruption of services.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves the Rancher CLI login command using the -skip-verify flag without the --cacert flag, which causes the CLI to fetch CA certificates from Rancher's stored settings. Detection involves identifying usage of the Rancher CLI login command with these specific flags."}, {'type': 'paragraph', 'content': 'To detect this on your system or network, you can monitor command-line usage or audit logs for Rancher CLI login commands that include the -skip-verify flag but omit the --cacert flag.'}, {'type': 'paragraph', 'content': 'Example commands to check for such usage might include searching shell history or process execution logs:'}, {'type': 'list_item', 'content': "grep -- '-skip-verify' ~/.bash_history | grep -v -- '--cacert'"}, {'type': 'list_item', 'content': "ps aux | grep 'rancher login' | grep -- '-skip-verify' | grep -v -- '--cacert'"}, {'type': 'paragraph', 'content': 'Additionally, network monitoring tools can be used to detect unusual TLS handshake behavior or attempts to fetch CA certificates from Rancher settings during login.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include ensuring that when using the Rancher CLI login command with self-signed CA certificates, the --cacert flag is always explicitly provided along with the -skip-verify flag to prevent the CLI from fetching CA certificates from Rancher's stored settings."}, {'type': 'paragraph', 'content': 'Upgrading to a patched version of Rancher CLI is strongly recommended. Patched versions include Rancher releases 2.13.2, 2.12.6, 2.11.10, and 2.10.11, which remove the vulnerable behavior.'}, {'type': 'paragraph', 'content': 'If immediate upgrade is not possible, always avoid using the -skip-verify flag alone and never omit the --cacert flag when self-signed certificates are involved.'}, {'type': 'paragraph', 'content': 'Monitoring and restricting network-level access between the CLI and Rancher Manager can also reduce the risk of man-in-the-middle attacks exploiting this vulnerability.'}] [2, 1]

Useful 0 Not Useful 0