CVE-2023-32199
📋 TL;DR
CVE-2023-32199 is an improper preservation of permissions vulnerability in Rancher Manager where users retain cluster access after their custom GlobalRole or binding is removed. This affects Rancher deployments where custom GlobalRoles with wildcard permissions (* on *) have been created and then removed. Only administrators managing custom GlobalRoles are affected.
💻 Affected Systems
- Rancher Manager
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Former administrators maintain unauthorized access to all clusters, potentially allowing data exfiltration, configuration changes, or privilege escalation across the entire Rancher-managed environment.
Likely Case
Users who should have lost administrative privileges continue to have limited access to clusters they previously managed, creating compliance violations and potential security gaps.
If Mitigated
With proper access reviews and monitoring, unauthorized access would be quickly detected and remediated before significant damage occurs.
🎯 Exploit Status
Exploitation requires: 1) Administrative access to create custom GlobalRoles, 2) Creation of vulnerable wildcard permissions, 3) Subsequent removal of those roles/bindings while users retain access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rancher v2.7.9 and v2.6.14
Vendor Advisory: https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59
Restart Required: No
Instructions:
1. Backup your Rancher configuration. 2. Upgrade to Rancher v2.7.9 (for v2.7.x) or v2.6.14 (for v2.6.x). 3. Verify the upgrade completed successfully. 4. Review and clean up any lingering permissions from previously removed GlobalRoles.
🔧 Temporary Workarounds
Manual Permission Cleanup
allManually review and remove any lingering permissions from users who had custom GlobalRoles with wildcard permissions removed
kubectl get clusterrolebindings -A | grep -i 'custom'
kubectl get rolebindings -A | grep -i 'custom'
# Review output and remove any bindings that should no longer exist
🧯 If You Can't Patch
- Implement strict access reviews and regularly audit all GlobalRoles and bindings to identify unauthorized permissions
- Enable detailed audit logging for all permission changes and monitor for unexpected access patterns
🔍 How to Verify
Check if Vulnerable:
Check if you have Rancher versions prior to 2.7.9 or 2.6.14 AND have created/removed custom GlobalRoles with wildcard (* on *) permissions.Check Version:
kubectl get pods -n cattle-system -l app=rancher -o jsonpath='{.items[*].spec.containers[*].image}' | grep -o 'rancher/rancher:[^ ]*'Verify Fix Applied:
After upgrading, verify version is 2.7.9+ or 2.6.14+, then test by creating/removing a custom GlobalRole with wildcard permissions and confirming access is properly revoked.📡 Detection & Monitoring
Log Indicators:
- Log entries showing users accessing clusters after their GlobalRole/binding removal
- Audit logs of permission changes showing role removal without access revocation
Network Indicators:
- Unexpected API calls from users who should no longer have access
SIEM Query:
source="rancher-audit-logs" (event="GlobalRole.delete" OR event="GlobalRoleBinding.delete") AND user_access_after_removal=true