CVE-2024-22032
📋 TL;DR
This vulnerability in RKE1 clusters causes continuous reconciliation when secrets encryption is enabled, exposing Kube API secret values in plaintext within the AppliedSpec. Cluster owners, members, and project members can view these secrets via their RBAC permissions, potentially exposing sensitive data. The vulnerability affects Rancher-managed RKE1 clusters with secrets encryption configuration enabled.
💻 Affected Systems
- Rancher
- RKE1
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers with cluster/project member access can extract all Kube API secrets in plaintext, potentially compromising sensitive data like database credentials, API keys, and authentication tokens, leading to full cluster compromise.
Likely Case
Authorized users (cluster/project members) inadvertently or intentionally view exposed secrets, leading to data leakage and potential privilege escalation within the cluster.
If Mitigated
With strict RBAC controls and minimal user permissions, only a small subset of users can access the exposed secrets, limiting the blast radius.
🎯 Exploit Status
Exploitation requires authenticated access as a cluster owner, cluster member, or project member. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rancher 2.8.2
Vendor Advisory: https://github.com/rancher/rancher/security/advisories/GHSA-q6c7-56cq-g2wm
Restart Required: Yes
Instructions:
1. Upgrade Rancher to version 2.8.2 or later. 2. Restart affected RKE1 clusters. 3. Verify secrets encryption is functioning correctly post-upgrade.
🔧 Temporary Workarounds
Disable Secrets Encryption
linuxTemporarily disable secrets encryption configuration on affected RKE1 clusters to prevent the reconciliation loop and secret exposure.
kubectl edit cluster <cluster-name>
Remove or comment out secretsEncryptionConfig section
Restrict RBAC Permissions
allTighten RBAC permissions to limit who can view cluster objects, reducing the number of users who can access exposed secrets.
Review and modify ClusterRoleBindings and RoleBindings
Remove unnecessary permissions to view cluster objects
🧯 If You Can't Patch
- Implement strict RBAC controls to minimize users with cluster/project member permissions
- Monitor cluster logs for suspicious access to cluster objects and audit user activities
🔍 How to Verify
Check if Vulnerable:
Check if running Rancher version <2.8.2 with RKE1 clusters having secrets encryption enabled. Review cluster configuration for secretsEncryptionConfig.Check Version:
kubectl get nodes -o wide | grep rancher || docker ps | grep rancherVerify Fix Applied:
After upgrading to Rancher 2.8.2+, verify that secrets are no longer exposed in plaintext in AppliedSpec and reconciliation loops have stopped.📡 Detection & Monitoring
Log Indicators:
- Frequent reconciliation logs in RKE1 clusters
- Unauthorized or suspicious access to cluster objects via API server logs
Network Indicators:
- Increased API server traffic from users accessing cluster objects
- Unusual patterns in cluster object queries
SIEM Query:
source="kube-apiserver" AND ("AppliedSpec" OR "secretsEncryptionConfig") AND ("reconcile" OR "plaintext")