CVE-2020-10676 – This vulnerability in Rancher 2.x allows users ... (How to Fix)

Q: What is the severity of CVE-2020-10676?

CVE-2020-10676 has a CVSS score of 8.8 (HIGH). This vulnerability in Rancher 2.x allows users with namespace access to move namespaces between projects without proper authorization. It affects Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4. This is an authorization bypass that could lead to privilege escalation and project boundary violations.

📋 TL;DR

This vulnerability in Rancher 2.x allows users with namespace access to move namespaces between projects without proper authorization. It affects Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4. This is an authorization bypass that could lead to privilege escalation and project boundary violations.

💻 Affected Systems

Products:

Rancher

Versions: Rancher 2.x before 2.6.13, Rancher 2.7.x before 2.7.4

Operating Systems: All platforms running Rancher

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Rancher deployments with namespace access enabled. The vulnerability exists in the authorization logic for namespace movement operations.

📦 What is this software?

Rancher by Suse

View all CVEs affecting Rancher →

Rancher by Suse

View all CVEs affecting Rancher →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with namespace access could move critical namespaces to projects they control, gaining unauthorized access to sensitive workloads, data, and resources across the Kubernetes cluster.

🟠

Likely Case

Users with legitimate namespace access could accidentally or intentionally move namespaces to inappropriate projects, causing operational disruption, security boundary violations, and potential data exposure.

🟢

If Mitigated

With proper RBAC controls and project isolation, the impact is limited to namespace movement within authorized project boundaries, but still violates intended authorization checks.

🌐 Internet-Facing: MEDIUM - Rancher management interfaces are often internet-facing, but exploitation requires authenticated access to a namespace.

🏢 Internal Only: HIGH - Internal users with namespace access can exploit this to bypass project isolation and gain unauthorized access to other project resources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to a namespace. The vulnerability is in the authorization check logic, making exploitation straightforward for users with namespace permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Rancher 2.6.13 or 2.7.4

Vendor Advisory: https://forums.rancher.com/c/announcements

Restart Required: Yes

Instructions:

1. Backup your Rancher configuration and data. 2. Upgrade to Rancher 2.6.13 if on 2.6.x series. 3. Upgrade to Rancher 2.7.4 if on 2.7.x series. 4. Restart Rancher services. 5. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict namespace movement permissions

all

Tighten RBAC controls to prevent users from having namespace movement permissions

kubectl edit clusterrole <role-name>
Remove 'update' and 'patch' verbs on namespaces resource

🧯 If You Can't Patch

Implement strict RBAC controls to limit namespace access and movement permissions
Monitor namespace movement events and audit logs for unauthorized project transfers

🔍 How to Verify

Check if Vulnerable:

Check Rancher version: kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}' | grep -o 'v[0-9.]*'

Check Version:

kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}'

Verify Fix Applied:

Confirm version is 2.6.13 or higher for 2.6.x series, or 2.7.4 or higher for 2.7.x series

📡 Detection & Monitoring

Log Indicators:

Namespace update events with project changes
Unauthorized namespace movement attempts in audit logs

Network Indicators:

API calls to move namespaces between projects

SIEM Query:

event.action:"update" AND kubernetes.namespace:* AND kubernetes.labels.project:*

📊 Metadata

CVE ID: CVE-2020-10676

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: December 12, 2023

Last Updated: November 21, 2024

🔗 References

https://forums.rancher.com/c/announcements Release Notes
https://github.com/advisories/GHSA-8vhc-hwhc-cpj4 Third Party Advisory
https://github.com/rancher/rancher/releases/tag/v2.6.13 Release Notes
https://github.com/rancher/rancher/releases/tag/v2.7.4 Release Notes
https://forums.rancher.com/c/announcements Release Notes
https://github.com/advisories/GHSA-8vhc-hwhc-cpj4 Third Party Advisory
https://github.com/rancher/rancher/releases/tag/v2.6.13 Release Notes
https://github.com/rancher/rancher/releases/tag/v2.7.4 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-10676, you might also want to check these: