CVE-2022-43755
📋 TL;DR
CVE-2022-43755 is an insufficient entropy vulnerability in SUSE Rancher that allows attackers who have previously obtained a cattle-token to continue using it even after token renewal. This affects Rancher deployments where attackers have already compromised authentication tokens. The vulnerability impacts SUSE Rancher versions prior to 2.6.10 and versions prior to 2.7.1.
💻 Affected Systems
- SUSE Rancher
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers maintain persistent access to Rancher management console and can escalate privileges, deploy malicious workloads, or exfiltrate sensitive cluster data even after token rotation attempts.
Likely Case
Previously compromised tokens remain valid, allowing attackers to maintain unauthorized access to Rancher management functions and potentially compromise Kubernetes clusters managed by Rancher.
If Mitigated
With proper network segmentation and access controls, impact is limited to the Rancher management plane, but attackers could still manipulate cluster configurations.
🎯 Exploit Status
Requires prior token compromise; exploitation depends on attackers having obtained cattle-tokens through other vulnerabilities or credential theft.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rancher 2.6.10 and Rancher 2.7.1
Vendor Advisory: https://bugzilla.suse.com/show_bug.cgi?id=1205297
Restart Required: Yes
Instructions:
1. Backup Rancher configuration and data. 2. Upgrade to Rancher 2.6.10 or 2.7.1 depending on your version track. 3. Restart Rancher services. 4. Verify all cattle-tokens have been properly invalidated and regenerated.
🔧 Temporary Workarounds
Manual Token Rotation
linuxManually rotate all cattle-tokens and ensure old tokens are properly invalidated
kubectl delete secrets -n cattle-system --selector=app=cattle-token
Restart Rancher deployment to generate new tokens
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Rancher management plane from untrusted networks
- Enable comprehensive audit logging and monitor for unusual token usage patterns
🔍 How to Verify
Check if Vulnerable:
Check Rancher version: kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}' | grep -E ':(2\.6\.([0-9]|9)|2\.7\.0)'Check Version:
kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}'Verify Fix Applied:
Verify version is 2.6.10 or higher for 2.6.x track, or 2.7.1 or higher for 2.7.x track📡 Detection & Monitoring
Log Indicators:
- Multiple authentication attempts with same token after rotation
- Unusual API calls from previously compromised tokens
Network Indicators:
- Unexpected Rancher API traffic from unauthorized sources
SIEM Query:
source="rancher" AND ("cattle-token" OR "authentication") AND ("failed" OR "invalid" OR "reused")