CVE-2022-45157 (CVSS 9.1): Critical Security Flaw in Rancher Exposes vSphere Credentials in Plaintext

by do son · October 27, 2024

Image: SUSE

The SUSE Rancher Security team has recently issued a high-severity advisory, CVE-2022-45157, warning users of a critical vulnerability affecting Rancher’s handling of vSphere’s Cloud Provider Interface (CPI) and Container Storage Interface (CSI) credentials. This flaw, which carries a CVSS score of 9.1, could enable unauthorized access to sensitive credentials in certain Rancher configurations.

Rancher, an open-source container management platform popular among enterprises for deploying Kubernetes, has been discovered to store vSphere CPI and CSI credentials in plaintext within its configuration objects. “A vulnerability has been identified in the way that Rancher stores vSphere’s CPI and CSI credentials… this issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher,” states the advisory.

This exposure affects users deploying clusters in vSphere environments, particularly those using Rancher’s user interface, Cluster Templates, or Terraform. Rancher confirms that these credentials are accessible in specific objects, including provisioning.cattle.io in spec.rkeConfig.chartValues.rancher-vsphere-cpi and spec.rkeConfig.chartValues.rancher-vsphere-csi, as well as rke.cattle.io.rkecontrolplane in similar specifications. The vulnerability also extends to downstream cluster filesystems, where credentials are accessible to users with privileged access.

To address this flaw, Rancher has released patched versions 2.8.9 and 2.9.3. The advisory emphasizes that affected users should update Rancher to one of these patched versions immediately. Once updated, running an automated script provided by SUSE is mandatory to mitigate any remaining risks: “After updating your environment… execute this script that provides an automated way to mitigate any vulnerable leftover vSphere clusters’ credentials within Rancher’s local cluster.”

The script securely migrates sensitive credentials from plaintext configurations to secrets stored in the fleet-default namespace. It also backs up cluster configurations, simplifying rollback if necessary, and is idempotent, allowing multiple runs for validation. SUSE advises users to enable the provisioningprebootstrap feature flag post-update, which is essential for both updated and newly installed clusters.

Unfortunately, there is no alternative workaround beyond restricting access to trusted users. “Besides only granting access to Rancher to trusted users… there is no direct workaround for this security issue, except updating Rancher to one of the patched versions,” cautions the advisory. Notably, Rancher 2.7 will not receive a backport patch for this vulnerability. Users on 2.7 who rely on vSphere provisioning are encouraged to transition to a patched version to address the risk.