Rancher FleetWorkspace Admission Path Privilege Escalation

Executive Summary

This vulnerability exists in the rancher-webhook component of Rancher FleetWorkspace for certain versions. It allows an unauthenticated attacker who has network access to the in-cluster rancher-webhook service to submit a specially crafted admission payload. This crafted payload causes workspace-related Kubernetes objects to be created with attacker-chosen identity data.

Essentially, the attacker can create namespaces and inject Role-Based Access Control (RBAC) settings without authentication, potentially altering the integrity of Fleet workspace permissions.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to unauthorized changes in the integrity of Fleet workspace RBAC configurations for newly created workspaces. This means an attacker could gain unauthorized access or privileges within the Kubernetes cluster by creating namespaces and assigning permissions without proper authentication.

Exploitation requires the attacker to already have some level of code execution inside the cluster, but once exploited, it can compromise the security boundaries within the cluster, potentially leading to privilege escalation or unauthorized resource access.

There is no full workaround other than upgrading to patched versions, but applying webhook hardening guidance and restricting network access to the webhook service can reduce the attack surface.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your Rancher webhook component is running a vulnerable version and if the in-cluster rancher-webhook service is accessible to unauthenticated network requests.

You can check the version of the rancher-webhook component deployed in your cluster by running commands like:

• kubectl -n cattle-system get pods -l app=rancher-webhook -o jsonpath='{.items[0].spec.containers[0].image}'

To detect unauthorized or suspicious admission requests, you can review the logs of the rancher-webhook pods for unusual admission payloads or workspace creation events:

• kubectl -n cattle-system logs <rancher-webhook-pod-name>

Additionally, you can attempt to access the webhook service from within the cluster to verify if it is exposed without authentication, for example:

• kubectl -n cattle-system port-forward svc/rancher-webhook 8443:443
• curl -k https://localhost:8443/ (to check if the webhook endpoint responds without authentication)

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the rancher-webhook component to a patched version. The fixed versions are 0.10.7, 0.9.6, 0.8.7, and 0.7.10, corresponding to Rancher releases v2.14.3, v2.13.7, v2.12.11, and v2.11.15.

If immediate upgrade is not possible, you should apply Rancher webhook hardening guidance and restrict network access to the rancher-webhook service to reduce the attack surface.

• Restrict network paths to the webhook service so that only authorized components can communicate with it.
• Implement network policies or firewall rules to block unauthenticated access to the webhook.

No full workaround exists without upgrading, so prioritizing the upgrade is critical to fully mitigate the vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an unauthenticated attacker to create Kubernetes objects with attacker-chosen identity data, potentially leading to unauthorized integrity changes in Fleet workspace RBAC. This unauthorized access and manipulation of identity data could impact compliance with standards and regulations such as GDPR and HIPAA, which require strict controls over identity management and data integrity to protect sensitive information.

However, the provided information does not explicitly describe the direct effects on compliance with these regulations.

Useful 0 Not Useful 0