CVE-2021-25320
📋 TL;DR
This CVE-2021-25320 vulnerability in Rancher allows authenticated users within a cluster to access cloud provider credentials by making requests with cloud-credential IDs, bypassing proper access controls. Rancher would attach the requested credentials without authorization checks, potentially exposing sensitive cloud infrastructure. This affects Rancher versions prior to 2.5.9 and versions prior to 2.4.16.
💻 Affected Systems
- Rancher
📦 What is this software?
Rancher by Rancher
Rancher by Rancher
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative access to cloud infrastructure (AWS, Azure, GCP) associated with the cluster, leading to data exfiltration, resource destruction, or lateral movement into other cloud environments.
Likely Case
Malicious or compromised users within the cluster escalate privileges to access cloud resources they shouldn't have permission to, potentially exposing sensitive data or incurring cloud costs.
If Mitigated
With proper network segmentation and least-privilege access controls, impact is limited to the specific cluster where exploitation occurs.
🎯 Exploit Status
Exploitation requires authenticated access to the Rancher cluster but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rancher 2.5.9 or 2.4.16
Vendor Advisory: https://bugzilla.suse.com/show_bug.cgi?id=1185514
Restart Required: Yes
Instructions:
1. Backup your Rancher configuration. 2. Upgrade to Rancher 2.5.9 or 2.4.16 following official upgrade procedures. 3. Verify the upgrade completed successfully. 4. Restart Rancher services.
🔧 Temporary Workarounds
Restrict Cloud Credential Access
allLimit which users have permissions to create or modify cloud credentials in Rancher.
Use Rancher RBAC to restrict 'cloudcredentials' permissions to only necessary administrators
Network Segmentation
allIsolate Rancher management interfaces from regular user access.
Configure firewall rules to restrict access to Rancher API endpoints
🧯 If You Can't Patch
- Implement strict RBAC controls to limit who can access cloud credential functionality
- Monitor and audit all cloud credential access attempts and API calls
🔍 How to Verify
Check if Vulnerable:
Check Rancher version via UI or API. If version is below 2.5.9 (for 2.5.x) or below 2.4.16 (for 2.4.x), system is vulnerable.Check Version:
kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}' | grep -o 'rancher/rancher:[^ ]*'Verify Fix Applied:
Confirm Rancher version is 2.5.9 or higher (for 2.5.x) or 2.4.16 or higher (for 2.4.x) after upgrade.📡 Detection & Monitoring
Log Indicators:
- Unusual cloud credential API calls from non-admin users
- Multiple failed then successful credential access attempts
Network Indicators:
- Unexpected outbound connections to cloud provider APIs from Rancher nodes
SIEM Query:
source="rancher" AND ("cloud-credential" OR "cloudcredential") AND user!="admin"