OS Command Injection in rancher/rancher

Valid

Reported on

Jun 1st 2022

Description

A OS Command Injection in rancher continuous delivery panel, add repository function

Proof of Concept

first install a rancher in docker and login. Go to continuous delivery panel and click add repository button.
set repository url as --upload-pack=$(touch /tmp/poc), and click Create button we can see error information like then go to our pods, we found the poc file, proving that the command executed

docker exec -it 5ee8b011a2f7 /bin/sh
sh-4.4# kubectl exec -ti --namespace=cattle-fleet-system  gitjob-6b977748fc-gjzhl     -- sh
/ $ ls /tmp
poc

Impact

execute command

We are processing your report and will contact the rancher team within 24 hours. 10 months ago

cokebeer modified the report

10 months ago

cokebeer modified the report

10 months ago

cokebeer modified the report

10 months ago

We have contacted a member of the rancher team and are waiting to hear back 10 months ago

A rancher/rancher maintainer

commented 10 months ago

Maintainer

Hi cokebeer.

Thank you for reporting this issue to us.

We will verify and review this internally to confirm the issue and then get back to you with an update.

If you have any questions in the meantime, please let us know. You can also use our GPG key to securely communicate with us - https://github.com/rancher/rancher/security/policy .

Thanks, Guilherme

We have sent a follow up to the rancher team. We will try again in 7 days. 10 months ago

A rancher/rancher maintainer has acknowledged this report 10 months ago

A rancher/rancher maintainer validated this vulnerability 10 months ago

Hi cokebeer (also CCing huntr.dev platform).

We acknowledge this issue and will work on a fix. We don't have a timeframe for the fix and which version of Rancher will ship it (we need to patch two branches - 2.6 and 2.5). We will share more details as soon as possible . We kindly ask to keep this information under embargo, since it's a security issue.

Right now the exposure is limited to only admin users in Rancher, which are already privileged users, so they can do anything in the Kubenetes clusters anyway. As we progress with the fix, we might adjust the severity and the CVSS score accordingly.

We also ask, please, to not request a CVE number, because we do this process internally when we are about to release the security advisory publicly.

If you have any questions, please let me know.

Thanks. Guilherme

cokebeer has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

We have sent a fix follow up to the rancher team. We will try again in 7 days. 9 months ago

We have sent a second fix follow up to the rancher team. We will try again in 10 days. 9 months ago

We have sent a third and final fix follow up to the rancher team. This report is now considered stale. 9 months ago

A rancher/rancher maintainer

commented 6 months ago

Maintainer

Hi. This is just an update to let you know that we are working privately to fix this issue. As soon as we have a timeline to release, I'll update here again. Thanks, Guilherme

A rancher/rancher maintainer

commented 2 months ago

Maintainer

Hi.

I want to inform that this issue is now publicly fixed in the new Rancher versions:

v2.7.1 - https://github.com/rancher/rancher/releases/tag/v2.7.1
v2.6.10 - https://github.com/rancher/rancher/releases/tag/v2.6.10
v2.5.17 - https://github.com/rancher/rancher/releases/tag/v2.5.17

The reported issue was not in Rancher, but in Wrangler, a framework used in Rancher. So the issue was assigned CVE-2022-31249 and released in https://github.com/rancher/wrangler/security/advisories/GHSA-qrg7-hfx7-95c5 .

Additionally, we fixed the same issue in Rancher's own Git package (that was originally reported here) and assigned CVE-2022-43758 - https://github.com/rancher/rancher/security/advisories/GHSA-34p5-jp77-fcrc . This other CVE was also credited to you and to another reporter.

Please let me know if you need anything else.

Thanks, Guilherme

A rancher/rancher maintainer gave praise 2 months ago

Thanks for reporting this issue. Please see the above comment.

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

A rancher/rancher maintainer marked this as fixed in 2.7.1 with commit bb1c35 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Jan 24th 2023

A rancher/rancher maintainer published this vulnerability 2 months ago

to join this conversation

We are processing your report and will contact the rancher team within 24 hours. 10 months ago

cokebeer modified the report

10 months ago

cokebeer modified the report

10 months ago

cokebeer modified the report

10 months ago

We have contacted a member of the rancher team and are waiting to hear back 10 months ago

A rancher/rancher maintainer

commented 10 months ago

Maintainer

Hi cokebeer.

Thank you for reporting this issue to us.

We will verify and review this internally to confirm the issue and then get back to you with an update.

If you have any questions in the meantime, please let us know. You can also use our GPG key to securely communicate with us - https://github.com/rancher/rancher/security/policy .

Thanks, Guilherme

We have sent a follow up to the rancher team. We will try again in 7 days. 10 months ago

A rancher/rancher maintainer has acknowledged this report 10 months ago

A rancher/rancher maintainer validated this vulnerability 10 months ago

Hi cokebeer (also CCing huntr.dev platform).

We also ask, please, to not request a CVE number, because we do this process internally when we are about to release the security advisory publicly.

If you have any questions, please let me know.

Thanks. Guilherme

cokebeer has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

We have sent a fix follow up to the rancher team. We will try again in 7 days. 9 months ago

We have sent a second fix follow up to the rancher team. We will try again in 10 days. 9 months ago

We have sent a third and final fix follow up to the rancher team. This report is now considered stale. 9 months ago

A rancher/rancher maintainer

commented 6 months ago

Maintainer

Hi. This is just an update to let you know that we are working privately to fix this issue. As soon as we have a timeline to release, I'll update here again. Thanks, Guilherme

A rancher/rancher maintainer

commented 2 months ago

Maintainer

Hi.

I want to inform that this issue is now publicly fixed in the new Rancher versions:

v2.7.1 - https://github.com/rancher/rancher/releases/tag/v2.7.1
v2.6.10 - https://github.com/rancher/rancher/releases/tag/v2.6.10
v2.5.17 - https://github.com/rancher/rancher/releases/tag/v2.5.17

Please let me know if you need anything else.

Thanks, Guilherme

A rancher/rancher maintainer gave praise 2 months ago

Thanks for reporting this issue. Please see the above comment.

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

A rancher/rancher maintainer marked this as fixed in 2.7.1 with commit bb1c35 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

This vulnerability is scheduled to go public on Jan 24th 2023

A rancher/rancher maintainer published this vulnerability 2 months ago

to join this conversation