Authentication Bypass in Rancher GitHub Provider

Compliance Impact

This vulnerability allows unauthorized access to resources by incorrectly granting permissions to users beyond their intended scope. Such unauthorized access can lead to breaches of confidentiality, integrity, and availability of sensitive data.

In the context of compliance with common standards and regulations like GDPR and HIPAA, this unauthorized access could result in violations related to data protection and privacy requirements. For example, GDPR mandates strict controls on personal data access, and HIPAA requires safeguarding protected health information. Exploitation of this vulnerability could undermine these controls, potentially leading to non-compliance, legal penalties, and reputational damage.

Therefore, organizations using affected Rancher versions should prioritize patching to maintain compliance and protect sensitive data.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in Rancher Manager's GitHub App authentication provider in versions 2.13 before 2.13.6 and 2.14 before 2.14.2. It is caused by incorrect team membership expansion during permission evaluation. When a user authenticates via the GitHub App provider, Rancher incorrectly grants access to all teams in the associated GitHub organization instead of only the teams the user actually belongs to.

The issue arises because the authentication provider iterates over all teams in the organization rather than using the user-specific team membership list from the cache. This allows a malicious user who is a member of any team in a GitHub organization to gain unauthorized access to other teams in that organization.

If those other teams are mapped to Rancher RBAC roles or login allowlists, the attacker can inherit permissions they were never granted.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access within Rancher environments. A malicious user with membership in any GitHub team can gain access to other teams' permissions and resources that they should not have.

This unauthorized access can compromise confidentiality, integrity, and availability of the system, as the attacker may inherit roles and permissions mapped to other teams, potentially allowing them to view, modify, or disrupt resources.

Exploitation requires the GitHub App authentication provider to be enabled and configured, and the attacker to have a valid GitHub account with team membership.

Temporary mitigations include disabling the GitHub App authentication provider, removing team-based group principals from allowed principalIds, auditing and removing RBAC bindings referencing GitHub App team principals, or disabling provider refresh. However, upgrading to a patched version is strongly recommended.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves auditing the Rancher Manager setup to check if the GitHub App authentication provider is enabled and configured for your organization.

You should review RBAC bindings and allowed principalIds for any references to GitHub App team principals that might be incorrectly granting access.

Since the vulnerability involves incorrect team membership expansion, monitoring logs for unexpected access patterns or permissions granted to users beyond their actual GitHub team memberships can help identify exploitation.

Specific commands are not provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include disabling the GitHub App authentication provider to prevent further exploitation.

Remove team-based group principals from allowed principalIds to restrict unauthorized access.

Audit and remove RBAC bindings that reference GitHub App team principals to eliminate inflated permissions.

Disabling provider refresh can help clean up inflated group membership temporarily, but this does not fully resolve the issue.

Upgrading Rancher Manager to patched versions v2.13.6 or v2.14.2 is strongly recommended as the definitive fix.

Useful 0 Not Useful 0