NeuVector CVE-2023-32188: A Critical Bug That Can Allow RCE

In the vast world of container security, NeuVector, developed and maintained by SUSE, stands tall as a beacon of protection for containerized environments throughout their entire lifecycle. Its comprehensive suite of tools and features is designed for both the developer deploying applications and the IT operations team guarding runtime operations. As one of the few fully open-source container security platforms, NeuVector has garnered immense trust from industry giants and government agencies alike.

A recently identified security flaw tracked as CVE-2023-32188, has sent ripples across the cybersecurity community due to its critical severity. This vulnerability concerns the JWT (JSON Web Token) utilized for authentication in NeuVector’s Manager and API access. If exploited, a malicious actor can reverse engineer this token, essentially forging a valid NeuVector token. This counterfeit access can, alarmingly, pave the way for Remote Code Execution (RCE).

NeuVector uses JSON Web Tokens (JWTs) for authentication. A JWT is a signed object that contains a set of claims. These claims can be used to identify the user and authorize them to access certain resources.

The CVE-2023-32188 vulnerability allows an attacker to reverse engineer the JWT token used in authentication for Manager and API access. This allows the attacker to forge a valid NeuVector token and perform malicious activity, such as:

• Executing arbitrary code on the NeuVector server
• Viewing and modifying sensitive data
• Gaining full control of the NeuVector platform

The impact of this vulnerability is severe. If an attacker is able to exploit this vulnerability, they could gain complete control of the NeuVector platform and all of the containerized applications that it is protecting.

Thankfully, the vigilant team behind NeuVector has already rolled out essential patches to counter the CVE-2023-32188 vulnerability:

1. Immediate Upgrade: Users are urged to promptly upgrade to NeuVector version 5.2.2 or later, alongside the latest Helm chart (2.6.3+). This upgraded version introduces an automatic creation of the JWT-signing certificate by the controller with a validity of 90 days, ensuring auto-rotation for enhanced security.
2. Helm-based Deployment: A Helm-based deployment or upgrade to 5.2.2 is critical. It generates a unique certificate not just for the Manager but also for the REST API and registry adapter. This step is indispensable for the auto-generation of certificates during both the initial installation and each subsequent upgrade.
3. Additional Protections: NeuVector 5.2.2 isn’t solely about the JWT-signing certificate. The version also introduces added barriers against potential RCE, especially concerning the feature of custom compliance scripts.
4. Manual Advice: Users opting for manual or yaml-based deployments can find crucial advice in the release notes for mitigating risks.

If you are unable to upgrade to NeuVector version 5.2.2 or later, you can work around the vulnerability by manually replacing the Manager and Controller certificates. However, upgrading to 5.2.2 is recommended to provide additional security enhancements to prevent possible attempted exploits and resulting RCE.