A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave the user’s tokens still usable.
An AP must be enabled to be affected by this, as the built-in User Management feature is not affected by this vulnerability. This issue may lead to an adversary gaining unauthorized access, as the user’s access privileges may still be active within Rancher even though they are no longer valid on the configured AP (please consult the MITRE ATT&CK - Technique - Valid Accounts for further information about the associated technique of attack).
It’s important to note that all configurable APs are impacted, see Rancher Docs - Configuring Authentication - External vs. Local Authentication to get the full authentication providers list.
To address this issue, the fix introduces a new user retention process that can be configured to run periodically and disable and/or delete inactive users. If enabled a user becomes subject to retention if they don't login for a configurable period of time. It's possible to set overrides for users that are used mainly for programmatic access (e.g. CI, scripts etc.) so that they don't become subject to retention for a longer period of time or at all. The user retention process is disabled by default, to avoid deleting wrong accounts. It is up to each user to enable it and configure the retention period as it best suits its environment.
Be aware that once the process is enabled, it might take a few days for previous users that have been revoked or deleted from the AP to be automatically removed from Rancher. To attenuate the risk of this condition, we recommend to regularly audit the AP’s user accounts for activity and manually deactivate or remove them from Rancher, if they are no longer needed.
For further information about the user retention process configuration, please refer to the dedicated documentation Rancher Docs - Advanced User Guides - Enable User Retention .
This Cyber News was published on www.tenable.com. Publication date: Tue, 18 Jun 2024 18:52:02 +0000