6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
42.8%
In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(128056);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/19");
script_cve_id("CVE-2019-12274");
script_name(english:"RancherOS 1.6.x < 1.6.28 / 2.0.x < 2.0.15 / 2.1.x < 2.1.10 / 2.2.x < 2.2.4 Arbitrary File Read");
script_set_attribute(attribute:"synopsis", value:
"A Docker container of Rancher installed on the remote host is missing a security patch.");
script_set_attribute(attribute:"description", value:
"In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the
Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The
problem is that a user could choose to post a sensitive file such as /root/.kube/config or
/var/lib/rancher/management-state/cred/kubeconfig-system.yaml.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?76c65d4b");
# https://github.com/rancher/rancher/releases/tag/v2.2.4
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?972b6c60");
# https://github.com/rancher/rancher/releases/tag/v2.1.10
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?48cf906b");
# https://github.com/rancher/rancher/releases/tag/v2.0.15
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3693a71b");
# https://github.com/rancher/rancher/releases/tag/v1.6.28
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f2d277a3");
script_set_attribute(attribute:"solution", value:
"Upgrade to version 1.6.28 / 2.0.15 / 2.1.10 / 2.2.4 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12274");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/05");
script_set_attribute(attribute:"patch_publication_date", value:"2019/06/05");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/22");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"x-cpe:/a:rancher_labs:rancher");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("rancher_local_detection.nbin", "rancher_web_ui_detect.nbin");
script_require_keys("installed_sw/Rancher", "Settings/ParanoidReport");
exit(0);
}
include('vcf.inc');
include('vcf_extras.inc');
app = 'Rancher';
get_install_count(app_name:app, exit_if_zero:TRUE);
app_info = vcf::combined_get_app_info(app:app);
if (report_paranoia < 2) audit(AUDIT_PARANOID);
constraints = [
{'min_version' : '1.6.0', 'fixed_version' : '1.6.28'},
{'min_version' : '2.0.0', 'fixed_version' : '2.0.15'},
{'min_version' : '2.1.0', 'fixed_version' : '2.1.10'},
{'min_version' : '2.2.0', 'fixed_version' : '2.2.4'}
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
Vendor | Product | Version | CPE |
---|---|---|---|
rancher_labs | rancher | x-cpe:/a:rancher_labs:rancher |
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
42.8%