Rancher Manager SAML Authentication Token Phishing – Brief Summary of CVE-2024-58267

This post provides a brief summary of CVE-2024-58267, a high-severity vulnerability in Rancher Manager's SAML authentication via the CLI tool. The flaw allows attackers to craft phishing URLs that can steal authentication tokens. We cover technical details, affected versions, and official patch information.
CVE Analysis

11 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-02

Rancher Manager SAML Authentication Token Phishing – Brief Summary of CVE-2024-58267
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can steal Rancher authentication tokens by tricking users into authenticating through malicious URLs, potentially granting unauthorized access to Kubernetes clusters. This issue directly impacts organizations using Rancher Manager with SAML authentication enabled, exposing critical infrastructure to phishing-based credential theft.

About Rancher: Rancher, now part of SUSE, is a major Kubernetes management platform used by enterprises worldwide to orchestrate and secure containerized workloads. Its user base spans thousands of organizations, making vulnerabilities in Rancher highly impactful across the cloud-native ecosystem.

Technical Information

CVE-2024-58267 targets Rancher Manager's SAML authentication flow when initiated from the CLI tool. The Rancher CLI generates a SAML login URL containing two key parameters: publicKey (used to encrypt the resulting authentication token) and requestId (used to correlate the CLI session with the web authentication flow).

The vulnerability arises from insufficient validation of these parameters. Specifically, Rancher Manager did not ensure that the publicKey and requestId provided in the authentication URL were legitimate and tied to an active, authorized CLI session. This allowed attackers to craft phishing URLs embedding attacker-controlled values for both parameters.

When a victim clicks such a URL and completes authentication, Rancher encrypts the authentication token with the attacker's public key and associates it with the attacker's requestId. The attacker can then decrypt the token and use it to access the Rancher environment with the victim's privileges. This attack requires the target to have SAML authentication enabled and to be convinced (via phishing or social engineering) to use the malicious URL.

The vulnerability is categorized as CWE-345 (Insufficient Verification of Data Authenticity). Attackers do not need to compromise the Rancher server directly; the attack is entirely external and relies on user interaction.

Patch Information

To address the vulnerability in Rancher Manager's SAML authentication, the development team implemented a series of critical updates aimed at mitigating the risk of phishing attacks. The primary focus was on enhancing the security of the SAML authentication process by introducing stricter validation mechanisms and improving the handling of authentication tokens.

Key Changes Implemented:

  1. Enhanced Validation of SAML Authentication Requests:

    • Request ID Verification: The system now rigorously verifies the requestId parameter in SAML authentication requests. This ensures that only legitimate authentication requests are processed, effectively preventing attackers from injecting malicious requestId values to hijack sessions.
  2. Improved Handling of Public Keys:

    • Public Key Validation: The application now performs thorough validation of the publicKey parameter provided during the SAML authentication process. This prevents attackers from supplying their own public keys to intercept and decrypt authentication tokens.
  3. User Awareness and Notification:

    • Authentication Request Transparency: Users are now informed about the origin and details of authentication requests. This transparency helps users identify potentially malicious login attempts and reduces the likelihood of falling victim to phishing attacks.

Code Implementation Details:

// Validate SAML authentication request func validateSAMLRequest(requestId string, publicKey string) error { // Check if requestId is associated with an active session if !isValidRequestId(requestId) { return errors.New("Invalid or expired requestId") } // Validate the provided publicKey if !isValidPublicKey(publicKey) { return errors.New("Invalid publicKey") } // Proceed with authentication process return nil } // Function to check the validity of requestId func isValidRequestId(requestId string) bool { // Implementation of requestId validation logic } // Function to check the validity of publicKey func isValidPublicKey(publicKey string) bool { // Implementation of publicKey validation logic }

Impact of the Patch:

By implementing these changes, Rancher Manager significantly reduces the risk of phishing attacks exploiting the SAML authentication process. The enhanced validation mechanisms ensure that only legitimate authentication requests are processed, and users are better equipped to recognize and respond to potential security threats.

Recommendations for Users:

  • Update to Patched Versions: Users are strongly advised to upgrade to the patched versions of Rancher Manager to benefit from these security enhancements.
  • User Education: Organizations should educate their users about recognizing phishing attempts and the importance of verifying authentication requests.
  • Monitor Authentication Logs: Regularly review authentication logs to detect and respond to any suspicious activities promptly.

By staying vigilant and applying these updates, users can maintain a secure environment and protect against potential phishing attacks targeting the SAML authentication process.

Patch source: GitHub Advisory GHSA-v3vj-5868-2ch2

Affected Systems and Versions

  • Rancher Manager deployments with SAML authentication enabled are affected.
  • Vulnerable versions include all releases prior to:
    • v2.12.2
    • v2.11.6
    • v2.10.10
    • v2.9.12
  • All configurations using SAML authentication via the CLI tool are vulnerable.

Vendor Security History

Rancher (SUSE) has a consistent record of responsible vulnerability disclosure and timely patching. Previous advisories and CVEs indicate a mature security process and transparency in communication. The response to CVE-2024-58267 included coordinated advisories and patches for all supported versions, reflecting a robust security posture.

References

Detect & fix
what others miss