high-winter-92040
10/03/2022, 8:59 AM<https://portswigger.net/daily-swig/rancher-stored-sensitive-values-in-plaintext-exposed-kubernetes-clusters-to-takeover>
With minimal access privs, one can obtain the cluster token in Rancher versions up to and including 2.5.15 and 2.6.6
An issue was discovered in Rancher versions up to and including 2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys and Rancher's service account token (used to provision clusters), were stored in plaintext directly on Kubernetes objects like Clusters, for example cluster.management.cattle.io. Anyone with read access to those objects in the Kubernetes API could retrieve the plaintext version of those sensitive data.
The exposed credentials are visible in Rancher to authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base on the endpoints:
<https://github.com/advisories/GHSA-g7j7-h4q8-8w2f>
numerous-coat-84186
10/03/2022, 11:17 AMsparse-fireman-14239
10/03/2022, 11:18 AMambitious-soccer-12568
10/03/2022, 12:53 PM[Google OAuth] testAndApply: server error while authenticating: invalid hostname provided
icy-secretary-33916
10/03/2022, 2:49 PMvictorious-river-3598
10/03/2022, 4:33 PMCATTLE_INTERNAL_ADDRESS= CATTLE_IS_RKE=false CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-86d667c95f-ltqp9 CATTLE_SERVER=<https://35.225.85.114> CATTLE_SERVER_VERSION=v2.6.8
INFO: Using resolv.conf: search cattle-system.svc.cluster.local svc.cluster.local cluster.local c.rene-v-sandbox.internal google.internal nameserver 10.0.0.10 options ndots:5
ERROR: <https://35.225.85.114/ping> is not accessible (Failed to connect to 35.225.85.114 port 443: Connection timed out)
victorious-river-3598
10/03/2022, 4:53 PMvictorious-river-3598
10/03/2022, 4:53 PMancient-air-32350
10/03/2022, 8:28 PMcuddly-appointment-26831
10/04/2022, 5:27 AMabundant-ghost-97733
10/04/2022, 11:34 AMglamorous-guitar-96571
10/04/2022, 1:07 PMpolite-waitress-19288
10/04/2022, 1:37 PMcuddly-chef-59548
10/04/2022, 5:19 PMable-window-95223
10/05/2022, 1:15 AMx509: certificate has expired or is not yet valid
. I was able to rotate the cert through UI, but I wonder what could have caused it to not rotate. This is a cluster provisioned through terraform.able-window-95223
10/05/2022, 1:26 AMcreamy-pencil-82913
10/05/2022, 8:59 AMclever-mechanic-71254
10/05/2022, 12:34 PMblue-florist-78333
10/05/2022, 12:39 PMechoing-country-69231
10/05/2022, 1:34 PMbillions-vase-14972
10/05/2022, 3:26 PMacceptable-judge-34451
10/05/2022, 5:14 PMacceptable-judge-34451
10/05/2022, 5:14 PMquiet-area-89381
10/05/2022, 6:46 PMtls-rancher-ingress
in the cattle-system
namespace, issued by let's encrypt. But somehow the ingress still serves the old generated certificate. I checked that the ingress was gone after i uninstalled rancher. How can I make sure the right certificate is picked up?powerful-farmer-23811
10/05/2022, 8:53 PMicy-secretary-33916
10/05/2022, 9:27 PMicy-secretary-33916
10/05/2022, 9:30 PMicy-secretary-33916
10/05/2022, 9:30 PMquiet-area-89381
10/05/2022, 10:20 PM[Google OAuth] testAndApply: server error while authenticating: Get "<https://admin.googleapis.com/admin/directory/v1/groups?alt=json&domain=microbyre.com&prettyPrint=false&userKey=104963972947843610189>": oauth2: cannot fetch token: 401 Unauthorized
Response: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}
We verified the SA has the permissions and the delegation on the workspace side too.quiet-chef-27276
10/06/2022, 1:54 AMquiet-chef-27276
10/06/2022, 1:54 AMcreamy-pencil-82913
10/06/2022, 2:57 AMlimited-pizza-33551
10/06/2022, 10:40 AMagreeable-oil-87482
10/06/2022, 11:10 AMquiet-chef-27276
10/06/2022, 11:12 AMlimited-pizza-33551
10/06/2022, 11:18 AM