SUSE Rancher Privilege Escalation Vulnerability in Role Templates

A vulnerability allowing privilege escalation has been identified in SUSE Rancher versions 2.7.0 prior to 2.7.14 and 2.8.0 prior to 2.8.5. The issue arises in RoleTemplate objects when 'external' is set to true, leading to improper privilege management. Specifically, the vulnerability occurs because the webhook rule resolver disregards rules from a ClusterRole for external RoleTemplates when the context is either 'project' or left empty. This flaw can be exploited in certain scenarios, allowing unauthorized users to gain elevated privileges.

Impact

Exploitation of this vulnerability can result in unauthorized privilege escalation, allowing users to gain elevated rights they should not have.

Remediation

Users can upgrade to Rancher versions 2.7.14 or 2.8.5, where this vulnerability has been patched. For those on the 2.7 release line, it is necessary to enable the 'external-rules' feature flag after upgrading to a patched version. Administrators can also use a provided script to identify affected RoleTemplates and create the necessary backing ClusterRoles to address the vulnerability.