Rancher Manager CLI TLS Verification Bypass Vulnerability

A vulnerability exists in Rancher Manager CLI versions 2.10.0 prior to 2.10.11, 2.11.0 prior to 2.11.10, 2.12.0 prior to 2.12.6, and 2.13.0 prior to 2.13.2. The issue arises when users employ self-signed CA certificates and use the '-skip-verify' option with the Rancher CLI login command, without also specifying the '--cacert' flag. This oversight causes the CLI to attempt to retrieve CA certificates from Rancher's 'cacerts' settings. The vulnerability allows an attacker with network-level access to intercept the TLS handshake and present a controlled CA, effectively bypassing TLS verification. This manipulation can be exploited to disregard TLS as a security measure, exposing basic authentication headers to potential interception.

Impact

Exploitation of this vulnerability can lead to a Man-in-the-Middle attack, where an attacker intercepts and potentially alters the communication between the Rancher CLI and Rancher Manager. This interception can be used to bypass TLS verification, allowing the attacker to present a fraudulent CA certificate and intercept authentication headers, undermining the security of the connection.

Remediation

Users can upgrade to Rancher CLI versions 2.13.2, 2.12.6, 2.11.10, or 2.10.11 to address this vulnerability. If an immediate upgrade is not possible, ensure that the '--cacert' flag is used with the login command when self-signed certificates are in use.