CVE-2021-36775
📋 TL;DR
CVE-2021-36775 is an improper access control vulnerability in SUSE Rancher that allows users to retain privileges after they should have been revoked. This affects Rancher installations where user permissions are managed through role-based access control. Organizations using vulnerable versions of Rancher for Kubernetes management are at risk.
💻 Affected Systems
- SUSE Rancher
📦 What is this software?
Rancher by Rancher
Rancher by Rancher
Rancher by Rancher
⚠️ Risk & Real-World Impact
Worst Case
Attackers with previously revoked privileges could maintain persistent access to sensitive Kubernetes clusters, potentially leading to data exfiltration, resource hijacking, or complete cluster compromise.
Likely Case
Former administrators or users with elevated privileges could continue accessing resources they should no longer have permission to view or modify, violating security policies and compliance requirements.
If Mitigated
With proper network segmentation and monitoring, unauthorized access attempts could be detected and blocked before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has valid credentials that were previously revoked.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rancher 2.4.18, 2.5.12, or 2.6.3
Vendor Advisory: https://bugzilla.suse.com/show_bug.cgi?id=1189120
Restart Required: Yes
Instructions:
1. Backup your Rancher configuration and data. 2. Upgrade to Rancher 2.4.18, 2.5.12, or 2.6.3 depending on your current version. 3. Restart Rancher services. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Manual privilege verification and revocation
linuxRegularly audit and manually revoke privileges for all users, especially those who should no longer have access.
kubectl get clusterrolebindings
kubectl get rolebindings --all-namespaces
rancher users ls
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Rancher management plane from production workloads
- Enable comprehensive audit logging and implement real-time alerting for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Rancher version using: kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}'Check Version:
kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}' | grep -o 'rancher/rancher:v[0-9.]*'Verify Fix Applied:
Verify version is 2.4.18, 2.5.12, or 2.6.3 or higher, then test that revoked users cannot access previously granted resources.📡 Detection & Monitoring
Log Indicators:
- Unexpected successful authentication from users who should be revoked
- API calls from users with recently revoked privileges
- Failed revocation attempts in audit logs
Network Indicators:
- Unusual API traffic patterns from previously authorized IP addresses
- Authentication requests from deprovisioned user accounts
SIEM Query:
source="rancher" AND (event="authentication_success" OR event="api_call") AND user IN [list_of_revoked_users]