Introduction
Attackers can steal Rancher authentication tokens by tricking users into authenticating through malicious URLs, potentially granting unauthorized access to Kubernetes clusters. This issue directly impacts organizations using Rancher Manager with SAML authentication enabled, exposing critical infrastructure to phishing-based credential theft.
About Rancher: Rancher, now part of SUSE, is a major Kubernetes management platform used by enterprises worldwide to orchestrate and secure containerized workloads. Its user base spans thousands of organizations, making vulnerabilities in Rancher highly impactful across the cloud-native ecosystem.
Technical Information
CVE-2024-58267 targets Rancher Manager's SAML authentication flow when initiated from the CLI tool. The Rancher CLI generates a SAML login URL containing two key parameters: publicKey
(used to encrypt the resulting authentication token) and requestId
(used to correlate the CLI session with the web authentication flow).
The vulnerability arises from insufficient validation of these parameters. Specifically, Rancher Manager did not ensure that the publicKey
and requestId
provided in the authentication URL were legitimate and tied to an active, authorized CLI session. This allowed attackers to craft phishing URLs embedding attacker-controlled values for both parameters.
When a victim clicks such a URL and completes authentication, Rancher encrypts the authentication token with the attacker's public key and associates it with the attacker's requestId. The attacker can then decrypt the token and use it to access the Rancher environment with the victim's privileges. This attack requires the target to have SAML authentication enabled and to be convinced (via phishing or social engineering) to use the malicious URL.
The vulnerability is categorized as CWE-345 (Insufficient Verification of Data Authenticity). Attackers do not need to compromise the Rancher server directly; the attack is entirely external and relies on user interaction.
Patch Information
To address the vulnerability in Rancher Manager's SAML authentication, the development team implemented a series of critical updates aimed at mitigating the risk of phishing attacks. The primary focus was on enhancing the security of the SAML authentication process by introducing stricter validation mechanisms and improving the handling of authentication tokens.
Key Changes Implemented:
-
Enhanced Validation of SAML Authentication Requests:
- Request ID Verification: The system now rigorously verifies the
requestId
parameter in SAML authentication requests. This ensures that only legitimate authentication requests are processed, effectively preventing attackers from injecting maliciousrequestId
values to hijack sessions.
- Request ID Verification: The system now rigorously verifies the
-
Improved Handling of Public Keys:
- Public Key Validation: The application now performs thorough validation of the
publicKey
parameter provided during the SAML authentication process. This prevents attackers from supplying their own public keys to intercept and decrypt authentication tokens.
- Public Key Validation: The application now performs thorough validation of the
-
User Awareness and Notification:
- Authentication Request Transparency: Users are now informed about the origin and details of authentication requests. This transparency helps users identify potentially malicious login attempts and reduces the likelihood of falling victim to phishing attacks.
Code Implementation Details:
// Validate SAML authentication request func validateSAMLRequest(requestId string, publicKey string) error { // Check if requestId is associated with an active session if !isValidRequestId(requestId) { return errors.New("Invalid or expired requestId") } // Validate the provided publicKey if !isValidPublicKey(publicKey) { return errors.New("Invalid publicKey") } // Proceed with authentication process return nil } // Function to check the validity of requestId func isValidRequestId(requestId string) bool { // Implementation of requestId validation logic } // Function to check the validity of publicKey func isValidPublicKey(publicKey string) bool { // Implementation of publicKey validation logic }
Impact of the Patch:
By implementing these changes, Rancher Manager significantly reduces the risk of phishing attacks exploiting the SAML authentication process. The enhanced validation mechanisms ensure that only legitimate authentication requests are processed, and users are better equipped to recognize and respond to potential security threats.
Recommendations for Users:
- Update to Patched Versions: Users are strongly advised to upgrade to the patched versions of Rancher Manager to benefit from these security enhancements.
- User Education: Organizations should educate their users about recognizing phishing attempts and the importance of verifying authentication requests.
- Monitor Authentication Logs: Regularly review authentication logs to detect and respond to any suspicious activities promptly.
By staying vigilant and applying these updates, users can maintain a secure environment and protect against potential phishing attacks targeting the SAML authentication process.
Patch source: GitHub Advisory GHSA-v3vj-5868-2ch2
Affected Systems and Versions
- Rancher Manager deployments with SAML authentication enabled are affected.
- Vulnerable versions include all releases prior to:
- v2.12.2
- v2.11.6
- v2.10.10
- v2.9.12
- All configurations using SAML authentication via the CLI tool are vulnerable.
Vendor Security History
Rancher (SUSE) has a consistent record of responsible vulnerability disclosure and timely patching. Previous advisories and CVEs indicate a mature security process and transparency in communication. The response to CVE-2024-58267 included coordinated advisories and patches for all supported versions, reflecting a robust security posture.