CVE-2023-32191
📋 TL;DR
CVE-2023-32191 is a privilege escalation vulnerability in Rancher Kubernetes Engine (RKE) where non-admin users can access the 'full-cluster-state' ConfigMap containing sensitive cluster configuration data. This allows attackers to escalate privileges to cluster-admin level. All RKE clusters using vulnerable versions are affected.
💻 Affected Systems
- Rancher Kubernetes Engine (RKE)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete cluster compromise allowing attackers to deploy malicious workloads, exfiltrate sensitive data, disrupt services, or pivot to other infrastructure.
Likely Case
Privilege escalation to cluster-admin allowing unauthorized access to all cluster resources and potential lateral movement.
If Mitigated
Limited impact if proper RBAC controls, network segmentation, and monitoring are in place to detect unauthorized ConfigMap access.
🎯 Exploit Status
Exploitation requires authenticated access to the cluster but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: RKE v1.4.8 and later
Vendor Advisory: https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqx
Restart Required: Yes
Instructions:
1. Upgrade RKE to v1.4.8 or later. 2. Update all RKE clusters using the upgraded version. 3. Restart cluster components as required by the upgrade process.
🔧 Temporary Workarounds
Restrict ConfigMap Access
allApply RBAC policies to restrict access to the 'full-cluster-state' ConfigMap in kube-system namespace.
kubectl create rolebinding deny-full-cluster-state --clusterrole=view --user=system:anonymous --user=system:unauthenticated --namespace=kube-system
kubectl patch rolebinding deny-full-cluster-state --type='json' -p='[{"op": "add", "path": "/rules/0/resources", "value": ["configmaps"]}, {"op": "add", "path": "/rules/0/resourceNames", "value": ["full-cluster-state"]}]'
🧯 If You Can't Patch
- Implement strict RBAC controls to limit access to ConfigMaps in kube-system namespace
- Enable audit logging for ConfigMap access and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check RKE version with 'rke --version' and verify if below v1.4.8. Also check if 'full-cluster-state' ConfigMap exists in kube-system namespace.Check Version:
rke --versionVerify Fix Applied:
Verify RKE version is v1.4.8 or later with 'rke --version'. Test that non-admin users cannot access the 'full-cluster-state' ConfigMap.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to 'full-cluster-state' ConfigMap
- RBAC permission escalation events
- Cluster configuration changes by non-admin users
Network Indicators:
- Unusual API calls to ConfigMap resources
- Suspicious kubectl commands from unexpected sources
SIEM Query:
source="kubernetes" AND (resource="configmaps" AND name="full-cluster-state" AND namespace="kube-system") AND user!="system:serviceaccount:kube-system:*"