CVE-2023-32197 (CVSS 9.1): Critical RKE2 Flaw Exposes Windows Nodes to Privilege Escalation
A significant security vulnerability, CVE-2023-32197, has been identified in RKE2, Rancher’s Kubernetes distribution geared toward high-security environments, including the U.S. Federal Government. The vulnerability, rated with a high severity score of 9.1 on the CVSS scale, affects RKE2 deployments on Windows nodes by allowing unauthorized access to sensitive files through insecure Access Control Lists (ACLs), potentially leading to privilege escalation.
This vulnerability allows any user within the BUILTIN\Users or NT AUTHORITY\Authenticated Users groups to view or modify critical files, such as binaries, scripts, configuration, and log files, within the Windows environment. Unauthorized access to these files, including those stored in directories like C:\etc\rancher\node\password and C:\var\lib\rancher\rke2\agent\logs\kubelet.log, can allow malicious actors to gain elevated privileges on the affected system, posing a substantial security risk.
The flaw impacts the following files and directories:
This issue is exclusive to RKE2 deployments in Windows environments, meaning Linux installations of RKE2 remain unaffected by this particular vulnerability.
Rancher has addressed this vulnerability in the following RKE2 versions:
- RKE2 1.31.0
- RKE2 1.30.2
- RKE2 1.29.6
- RKE2 1.28.11
- RKE2 1.27.15
Users are advised to perform a fresh installation of RKE2 on Windows nodes with a patched version to mitigate this security risk. Additionally, Rancher Manager, a crucial tool in managing Kubernetes deployments, is also impacted by this flaw, with patched versions available in Rancher Manager 2.8.9 and 2.9.3. Users of Rancher Manager 2.7 should upgrade to a newer minor version, as no patches will be issued for that series.
For users unable to apply the patches immediately, a workaround can be implemented to secure ACLs on affected files manually. Running a PowerShell script as an Administrator on each node can enforce stricter ACLs, limiting unauthorized access to sensitive files. This temporary measure can help secure the environment until a full patch can be applied.
