CVE-2022-43759
📋 TL;DR
This vulnerability in SUSE Rancher allows authenticated users with 'escalate' permissions on PRTBs (Project Role Template Bindings) to escalate their privileges for any promoted resource across any cluster. This affects Rancher deployments where users have been granted escalate permissions, potentially enabling unauthorized access to sensitive resources. The issue impacts SUSE Rancher versions before 2.5.17 and 2.6.10.
💻 Affected Systems
- SUSE Rancher
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker with escalate permissions could gain administrative control over any cluster managed by Rancher, potentially compromising all workloads, data, and infrastructure.
Likely Case
Privileged users could unintentionally or maliciously elevate their permissions beyond intended scope, leading to unauthorized access to sensitive resources across clusters.
If Mitigated
With proper RBAC controls limiting escalate permissions to trusted administrators only, the impact is reduced to authorized users potentially misusing legitimate permissions.
🎯 Exploit Status
Exploitation requires authenticated access with escalate permissions. The vulnerability is in authorization logic, making exploitation straightforward for users with the required permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rancher 2.5.17 or 2.6.10
Vendor Advisory: https://bugzilla.suse.com/show_bug.cgi?id=1205293
Restart Required: Yes
Instructions:
1. Backup your Rancher configuration and data. 2. Upgrade to Rancher 2.5.17 if using 2.5.x series. 3. Upgrade to Rancher 2.6.10 if using 2.6.x series. 4. Restart Rancher services. 5. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Remove Escalate Permissions
linuxTemporarily remove 'escalate' verb permissions from all PRTBs until patching can be completed.
kubectl edit clusterrolebinding <binding-name>
Remove 'escalate' from verbs in rules
Restrict User Access
allReview and restrict user access to only necessary permissions, particularly limiting escalate verb usage.
Review RBAC configurations in Rancher UI or via kubectl
🧯 If You Can't Patch
- Implement strict RBAC controls to limit escalate permissions to absolute minimum required users
- Enable audit logging for all privilege escalation attempts and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Rancher version: kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}' | grep -o 'rancher/rancher:[0-9.]*'Check Version:
kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}'Verify Fix Applied:
Verify version is 2.5.17 or higher for 2.5.x series, or 2.6.10 or higher for 2.6.x series using the same command📡 Detection & Monitoring
Log Indicators:
- Unauthorized privilege escalation attempts in Rancher audit logs
- Unexpected permission changes for users with escalate verb
Network Indicators:
- Unusual API calls to Rancher authorization endpoints from non-admin users
SIEM Query:
source="rancher-audit" AND (event="escalate" OR verb="escalate") AND user!="admin"