CVE-2023-32191 (CVSS 10) in Rancher Kubernetes Engine Exposes Sensitive Credentials

CVE-2023-32191

A critical vulnerability has been discovered in the Rancher Kubernetes Engine (RKE), a widely used Kubernetes distribution that simplifies the installation and operation of Kubernetes. This vulnerability, identified as CVE-2023-32191 and rated with a maximum CVSS score of 10, poses a severe risk to the security and integrity of Kubernetes clusters managed by RKE.

CVE-2023-32191

RKE, known for running Kubernetes entirely within Docker containers on both bare-metal and virtualized servers, has a significant security flaw in the way it stores cluster state information. The vulnerability arises because RKE stores sensitive credentials within a ConfigMap called full-cluster-state in the kube-system namespace of the cluster. This ConfigMap includes a variety of sensitive data, such as:

  • SSH credentials
  • AWS access and secret keys
  • Azure AD client secrets
  • Kubernetes encryption keys
  • Cloud provider credentials (e.g., OpenStack, Vsphere, Harvester)

The presence of these credentials in a ConfigMap means that anyone with read access to this ConfigMap effectively gains administrative-level control over the entire Kubernetes cluster. This level of access can lead to severe breaches in confidentiality, integrity, and availability, potentially exposing an organization’s entire cloud infrastructure to malicious actors.

The full-cluster-state ConfigMap contains the complete state of the Kubernetes cluster, including critical configuration details and credentials required for cluster operations. While access to this ConfigMap typically requires permissions within the RKE cluster, it is not limited to administrators. Non-administrative users with the ability to read this ConfigMap can exploit it to gain unauthorized access and control over the cluster.

To mitigate the CVE-2023-32191 vulnerability, RKE users must upgrade to the patched versions:

These updates include changes that migrate the cluster state from a ConfigMap to a more secure secret in the kube-system namespace. Access to this secret is restricted to users with appropriate permissions, specifically admin and cluster-owner roles in Rancher.

For those unable to upgrade immediately, there are no effective workarounds. It is crucial to prioritize upgrading RKE to protect your Kubernetes environments from potential exploitation.