Rancher Security Update CVE-2024-22030

A newly discovered vulnerability within Rancher and Fleet, currently deemed a medium to high severity CVE-2024-22030, can be exploited in narrow circumstances through a man-in-the middle attack. An attacker would need to have control of an expired domain or execute a DNS spoofing/hijacking attack against the domain in order to exploit this vulnerability. The targeted domain is the one used as the Rancher URL. SUSE is not aware of any commercial exploitation of the described vulnerability, which has a high complexity bar for exploitation. Below, please find the advised remediation for all Rancher customers and users. 

Initially contacted by a third-party researcher in October, SUSE provided the researcher with our email address to send any security concerns to. The researcher responded on Wednesday, 14 February stating he intends to disclose the vulnerability during a presentation on 17 February.

Details and remediation

As mentioned above, based on our initial investigation, the described vulnerability is difficult to exploit and certain external conditions, outside the control of the Rancher server, must be met and executed by a malicious actor. These are: 

1. Attacker is able to hijack the domain used to register Rancher (the server-url of the Rancher cluster) or is able to execute a DNS hijacking or spoofing of that domain.
2. Attacker is able to generate a valid certificate for the targeted domain/DNS. 
3. The certificate is valid and generated by a trusted CA that is also in the trust store of the targeted Rancher server; or the valid certificate is generated by a valid CA that was previously configured in the Rancher installation. 
4. If an attacker succeeds with steps 1 and 2, and if 3 is a match, then the weakness in the Rancher and Fleet agents’ CA data check can be exploited.
   1. Note: customers and users using certificates signed by their own private CAs do not seem to be affected by this issue, as long as their CA signing key is not leaked.

To remediate the issue, SUSE Rancher customers and users should follow standard security practices including: 

1. Make sure to properly control the expiration and ownership of the domain used as the Rancher URL (the server-url of the Rancher cluster).
2. Evaluate enabling DNSSEC as a way to protect against DNS spoofing or hijacking attacks. 
3. Monitor attempts to hijack the domain and DNS.
4. Monitor attempts to create rogue certificates against your domain and the Rancher URL.
   1. Services like crt.sh and other monitors, from the Certificate Transparency (CT) project, are good places to watch for rogue certificates.
5. Properly clean up and decommission unused clusters and downstream clusters, instead of leaving them behind. For example, downstream clusters which are alive while the main Rancher server is no longer available.
   1. See more information about how to remove Rancher components from a cluster, for the cases where decommissioning the entire cluster isn’t an option. 
6. Further remediations will be provided as we continue to investigate this issue.

As is typical in the software and security industry, SUSE has worked closely with many researchers who have pre-emptively identified security concerns within our solutions, and who have given SUSE appropriate time to address those issues. Such notice typically happens within a 30 – 60 day window before disclosure. In this particular situation we were not provided the opportunity to address the concern prior to disclosure by the third-party researcher mentioned above. Naturally, the Rancher security team is working to develop a fix for this vulnerability as quickly as possible. More updates will be provided when available. 

Security and reliability continue to be of the utmost importance to the SUSE team. If you have any questions or concerns, please reach out to your SUSE contact or the SUSE security team at security-rancher@suse.com.