CVE-2024-58267
📋 TL;DR
This vulnerability in Rancher Manager's SAML authentication for the Rancher CLI tool allows attackers to steal authentication tokens through phishing attacks. The custom SAML authentication protocol can be abused to intercept and misuse Rancher's authentication tokens. Organizations using Rancher Manager with SAML authentication for CLI access are affected.
💻 Affected Systems
- Rancher Manager
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to Rancher clusters, potentially compromising all managed Kubernetes resources, deploying malicious workloads, exfiltrating sensitive data, or disrupting operations.
Likely Case
Attackers steal authentication tokens through phishing, gaining unauthorized access to Rancher-managed resources and potentially escalating privileges within Kubernetes clusters.
If Mitigated
With proper network segmentation, monitoring, and access controls, impact is limited to isolated systems with minimal lateral movement potential.
🎯 Exploit Status
Exploitation requires user interaction (phishing) but uses standard SAML protocol manipulation techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rancher 2.8.7, 2.9.2, and 2.10.0
Vendor Advisory: https://github.com/rancher/rancher/security/advisories/GHSA-v3vj-5868-2ch2
Restart Required: Yes
Instructions:
1. Backup Rancher configuration and data. 2. Upgrade to Rancher 2.8.7, 2.9.2, or 2.10.0 using the official upgrade documentation. 3. Verify the upgrade completed successfully. 4. Test SAML authentication functionality.
🔧 Temporary Workarounds
Disable SAML CLI Authentication
allTemporarily disable SAML authentication for Rancher CLI until patching is possible
# Modify Rancher configuration to disable SAML CLI auth
# Consult Rancher documentation for specific configuration changes
Restrict CLI Access
allLimit Rancher CLI access to trusted networks and users only
# Implement network ACLs to restrict Rancher API access
# Use VPN or bastion hosts for CLI access
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Rancher management plane
- Enforce multi-factor authentication and monitor for suspicious authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check Rancher version via UI or API. If version is below 2.8.7, 2.9.2, or 2.10.0 and SAML authentication is enabled for CLI, the system is vulnerable.Check Version:
kubectl get settings.management.cattle.io server-version -o yaml | grep valueVerify Fix Applied:
Verify Rancher version is 2.8.7, 2.9.2, or 2.10.0 or higher, and test SAML authentication functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual SAML authentication patterns
- Multiple failed authentication attempts from unexpected sources
- CLI authentication from unexpected IP addresses
Network Indicators:
- Unusual traffic patterns to Rancher authentication endpoints
- SAML authentication requests from unexpected sources
SIEM Query:
source="rancher" AND (event="authentication" OR event="saml") AND (status="failed" OR user_agent="cli")