CVE-2023-32191 - RKE Full-Cluster-State ConfigMap Vulnerability: A Deep Dive into Privilege Escalation for Non-Admin Users

The vulnerability identified as CVE-2023-32191 has opened doors for privilege escalation exploits on Kubernetes clusters provisioned by Rancher Kubernetes Engine (RKE). This post aims to provide a comprehensive analysis of the vulnerability, as well as details on how potential attackers can exploit this flaw to escalate their privileges from non-admin users to full administrative access.

Background

Rancher Kubernetes Engine (RKE) is a popular platform for orchestrating container applications on Kubernetes clusters. It is designed to be simple, secure, and stable, providing an easy-to-use and out-of-the-box experience for deploying, managing, and scaling containerized applications on Kubernetes.

The Vulnerability

When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster. This configuration map contains sensitive information that could grant unauthorized access and allow privilege escalation for non-admin users.

Snippet of YAML file outlining full-cluster-state ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: full-cluster-state
  namespace: kube-system
data:
  desired-state: <base64_encoded_value>

Cluster authentication materials (tokens, keys, etc.)

- Full configuration for all components running in the cluster, including master nodes, workers, etcd servers, and more.

This information can be exploited by non-admin users to escalate their privileges, gain full administrative access to the cluster, and potentially compromise the entire container infrastructure.

Exploit Details

An attacker, who has limited access to a Kubernetes cluster provisioned by RKE, can exploit the CVE-2023-32191 vulnerability to gain administrative access by following these steps:

Example command: echo "<base64_encoded_value>" | base64 --decode

3. Use the extracted sensitive information such as certificates and tokens to impersonate an administrator and perform privileged actions on the cluster.

Original References:
- RKE Issue: RKE GitHub Issue #3369
- Kubernetes Documentation: ConfigMaps
- Rancher Kubernetes Engine RKE

Conclusion

The CVE-2023-32191 vulnerability exposes Kubernetes clusters provisioned by RKE to privilege escalation, resulting in potential unauthorized admin access and significant risks for containerized applications. It is essential for organizations and developers using RKE provisioning to be aware of this vulnerability and immediately apply the updates and mitigations as provided by the RKE maintainers.

Furthermore, it is crucial to employ best practices when configuring Kubernetes clusters, including limiting access to sensitive namespaces like kube-system, implementing role-based access control(RBAC), and continuously monitoring for potential security risks.

Timeline

Published on: 10/16/2024 12:17:02 UTC