CVE-2023-22650
📋 TL;DR
CVE-2023-22650 is an authentication bypass vulnerability in Rancher where deleted, disabled, or revoked users from external authentication providers remain active in Rancher with valid tokens. This allows unauthorized access to Rancher management interfaces. Organizations using Rancher with external authentication providers (LDAP, AD, OIDC, etc.) are affected.
💻 Affected Systems
- Rancher
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Former employees or malicious actors maintain persistent access to Rancher management console, potentially compromising entire Kubernetes clusters managed by Rancher, leading to data exfiltration, resource hijacking, or complete cluster takeover.
Likely Case
Former employees retain access to Rancher after termination, potentially accessing sensitive cluster configurations, deploying unauthorized workloads, or viewing proprietary application data.
If Mitigated
With proper monitoring and manual user cleanup procedures, impact is limited to temporary access until manual remediation occurs.
🎯 Exploit Status
Exploitation requires previously valid user credentials/tokens. Attackers simply continue using existing tokens after user deletion from authentication provider.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rancher 2.7.2 and 2.6.11
Vendor Advisory: https://github.com/rancher/rancher/security/advisories/GHSA-9ghh-mmcq-8phc
Restart Required: Yes
Instructions:
1. Backup Rancher configuration and data. 2. Upgrade to Rancher 2.7.2 (for v2.7.x) or 2.6.11 (for v2.6.x). 3. Restart Rancher services. 4. Manually revoke all existing tokens for users deleted from authentication providers.
🔧 Temporary Workarounds
Manual User Cleanup
linuxRegularly audit and manually delete users in Rancher who no longer exist in external authentication providers
kubectl get users -n cattle-system
kubectl delete user <username> -n cattle-system
Token Revocation
allRevoke all active tokens for users removed from authentication providers
Use Rancher UI: Users & Authentication → Users → Select user → Revoke Tokens
🧯 If You Can't Patch
- Implement strict monitoring of user access logs and alert on activity from users not in current authentication provider directory
- Establish manual process to immediately revoke tokens when users are removed from authentication provider
🔍 How to Verify
Check if Vulnerable:
Check Rancher version: if using external auth and version is below 2.7.2 (for 2.7.x) or 2.6.11 (for 2.6.x), you are vulnerable.Check Version:
kubectl get settings.management.cattle.io server-version -o yaml | grep valueVerify Fix Applied:
After upgrade, verify version is 2.7.2+ or 2.6.11+. Test by removing a test user from authentication provider and confirming their Rancher tokens become invalid.📡 Detection & Monitoring
Log Indicators:
- Authentication logs showing successful logins from users not in current authentication provider directory
- API access from users marked as deleted in authentication provider
Network Indicators:
- Rancher API calls from IP addresses associated with former employees
- Unusual authentication patterns from supposedly disabled accounts
SIEM Query:
source="rancher" AND (event="authentication_success" OR event="api_call") | join user_id [search source="auth_provider" event="user_deleted" | fields user_id]