CVE-2023-32196
📋 TL;DR
This vulnerability allows attackers to escalate privileges in Rancher when RoleTemplate objects have external=true. Attackers could gain higher permissions than intended, potentially compromising the entire Rancher management platform. Organizations using Rancher with external RoleTemplates are affected.
💻 Affected Systems
- Rancher
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Rancher management plane, allowing attackers to create administrative accounts, access all managed clusters, and deploy malicious workloads across the entire Kubernetes environment.
Likely Case
Privilege escalation within Rancher leading to unauthorized access to sensitive resources, cluster configurations, or the ability to deploy workloads in managed Kubernetes clusters.
If Mitigated
Limited impact with proper network segmentation, minimal user permissions, and monitoring in place, though privilege escalation paths would still exist.
🎯 Exploit Status
Exploitation requires authenticated access to Rancher and knowledge of how to create/modify RoleTemplate objects with external=true. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rancher 2.6.14, 2.7.9, or later
Vendor Advisory: https://github.com/rancher/rancher/security/advisories/GHSA-64jq-m7rq-768h
Restart Required: Yes
Instructions:
1. Backup Rancher configuration and data. 2. Upgrade Rancher to version 2.6.14 or 2.7.9+. 3. Restart Rancher services. 4. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Disable external RoleTemplate creation
linuxRestrict creation of RoleTemplate objects with external=true parameter through RBAC policies or admission controllers
kubectl apply -f roletemplate-restriction.yaml
Audit existing RoleTemplates
linuxReview and remove any RoleTemplate objects with external=true that are not strictly required
kubectl get roletemplates -A -o json | jq '.items[] | select(.spec.external==true)'
🧯 If You Can't Patch
- Implement strict RBAC controls to limit who can create or modify RoleTemplate objects
- Enable audit logging for all RoleTemplate operations and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Rancher version: kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}'Check Version:
kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[0].spec.containers[0].image}' | grep -E '2.6.1[4-9]|2.7.[9-9]|2.[8-9]'Verify Fix Applied:
Confirm Rancher version is 2.6.14+ or 2.7.9+ and check that RoleTemplate privilege escalation attempts are properly blocked📡 Detection & Monitoring
Log Indicators:
- Unauthorized RoleTemplate creation/modification with external=true
- Privilege escalation attempts in Rancher audit logs
- Unexpected permission changes for users
Network Indicators:
- Unusual API calls to Rancher management interface related to RoleTemplate objects
SIEM Query:
source="rancher-audit" AND (event="create" OR event="update") AND object="roletemplate" AND external="true"