SUSE Rancher Improper Access Control Vulnerability in SAML Authentication Allows User Impersonation

An improper access control vulnerability has been identified in SUSE Rancher, allowing local users to impersonate other identities through SAML authentication during the first login. This issue affects Rancher versions 2.8.0 prior to 2.8.13, 2.9.0 prior to 2.9.7, and 2.10.0 prior to 2.10.3. The vulnerability arises when a SAML authentication provider, such as Keycloak, is configured. A newly created user can manipulate certain cookie values to impersonate any user on Rancher. Additionally, if a Rancher user is removed from the authentication provider, the vulnerability can be exploited by re-adding the user under a different identity.

Impact

Exploitation of this vulnerability allows for user impersonation, potentially leading to unauthorized access and actions within the Rancher environment, including privilege escalation by manipulating SAML cookie values to gain admin rights.

Remediation

Users can upgrade to Rancher versions 2.8.13, 2.9.7, or 2.10.3 to address this vulnerability. For deployments that cannot upgrade, temporarily disabling the SAML-based authentication provider is recommended.