CVE-2021-36784
📋 TL;DR
This vulnerability allows users with the restricted-admin role in SUSE Rancher to escalate their privileges to full administrator access. It affects SUSE Rancher versions before 2.5.13 and Rancher versions before 2.6.4. This enables unauthorized administrative control over the Rancher management platform.
💻 Affected Systems
- SUSE Rancher
- Rancher
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with restricted-admin access gains full administrative control over the Rancher cluster, allowing them to deploy malicious workloads, access sensitive data, modify configurations, and potentially compromise downstream Kubernetes clusters.
Likely Case
Malicious or compromised users with restricted-admin privileges escalate to full admin and gain unauthorized access to manage clusters, users, and resources within the Rancher environment.
If Mitigated
With proper role-based access controls and monitoring, the impact is limited to unauthorized administrative actions that can be detected and rolled back before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access with restricted-admin privileges. The vulnerability involves improper privilege management that allows role escalation through normal administrative functions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SUSE Rancher 2.5.13 or Rancher 2.6.4
Vendor Advisory: https://bugzilla.suse.com/show_bug.cgi?id=1193991
Restart Required: Yes
Instructions:
1. Backup your Rancher configuration and data. 2. Upgrade to SUSE Rancher 2.5.13 or Rancher 2.6.4 using your preferred deployment method (Helm, Docker, RKE). 3. Restart Rancher services. 4. Verify the upgrade was successful.
🔧 Temporary Workarounds
Remove restricted-admin role assignments
linuxTemporarily remove the restricted-admin role from all users until patching can be completed
kubectl edit clusterrolebinding -n cattle-system
Remove restricted-admin role bindings
🧯 If You Can't Patch
- Immediately audit and remove all restricted-admin role assignments from users
- Implement strict monitoring and alerting for administrative actions by restricted-admin users
🔍 How to Verify
Check if Vulnerable:
Check Rancher version via UI (Settings -> About) or command line: kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}'Check Version:
kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}' | grep -o 'v[0-9.]*'Verify Fix Applied:
Verify version is 2.5.13 or higher for SUSE Rancher, or 2.6.4 or higher for Rancher. Test that restricted-admin users cannot perform full administrative actions.📡 Detection & Monitoring
Log Indicators:
- Unusual administrative actions by restricted-admin users
- Role binding changes or privilege escalation attempts
Network Indicators:
- Increased API calls to administrative endpoints from restricted-admin accounts
SIEM Query:
source="rancher" AND (event_type="role_escalation" OR user_role="restricted-admin" AND action="admin_operation")