Rancher Releases Patch for CVE-2024-22031 Privilege Escalation Vulnerability

The SUSE Rancher Security Team has issued a security advisory regarding a newly disclosed vulnerability affecting multiple versions of Rancher, the popular open-source container management platform. Tracked as CVE-2024-22031 and assigned a CVSS score of 8.6, the flaw could allow privilege escalation across Kubernetes clusters, posing a serious risk to enterprise environments running containerized applications in production.

According to the advisory, “a user with the ability to create a project on a certain cluster can create a project with the same name as an existing project in a different cluster.” This oversight enables unauthorized access to resources in the other project, due to a namespace collision that arises because “the namespace used on the local cluster to store related resources (PRTBs and secrets) is the name of the project.”

The issue impacts multiple versions of Rancher prior to the following fixed releases:

• v2.11.1
• v2.10.5
• v2.9.9

For these versions, the vulnerability has been mitigated through a significant change in how Rancher assigns namespaces. The advisory states: “Instead of using the project name as the namespace, Rancher will instead be using a new field on the project spec called backingNamespace.”

The backingNamespace ensures a unique and collision-resistant reference that prevents cross-cluster privilege confusion. This architectural change was implemented across both Rancher core and the associated webhook system.

The updated webhook logic now:

• Uses SafeConcatName(project.Spec.ClusterName, project.Name) to generate unique backingNamespace values.
• Removes previous validation requiring the project name and namespace to match.
• Locks the backingNamespace field after it has been set to prevent tampering.

This fix, however, will not be backported to the v2.8 release line, which is approaching end-of-life (EOL). SUSE explains, “The fix for v2.8 was considered too complex and with the risk of introducing instabilities right before this version goes into end-of-life.”

For users unable to upgrade immediately, the Rancher team recommends:

• Preventing users from creating projects with identical names across clusters.
• Running an administrative audit to identify any name collisions using:

  kubectl get projects -A -o=custom-columns='NAME:metadata.name' | sort | uniq -c

Any project name appearing more than once across clusters may indicate a security risk. To mitigate, SUSE advises administrators to delete and recreate the affected projects to resolve potential namespace conflicts. Deleting only some instances is discouraged: “a user could have given themselves access to the wrong project.”

Related Posts:

• Ubuntu Security Alert: Three Ways to Bypass User Namespace Restrictions
• CVE-2024-9180: HashiCorp Vault Vulnerability Could Lead to Privilege Escalation
• CVE-2022-45157 (CVSS 9.1): Critical Security Flaw in Rancher Exposes vSphere Credentials in Plaintext
• CVE-2024-22036 (CVSS 9.1): Critical RCE Vulnerability Discovered in SUSE Rancher