Rancher Fleet ServiceAccount Impersonation Bypass Vulnerability Allowing Secret Access

A vulnerability exists in Rancher Fleet's Helm deployer, specifically in versions 0.11.0 prior to 0.11.13, 0.12.0 prior to 0.12.14, 0.13.0 prior to 0.13.10, 0.14.0 prior to 0.14.5, and 0.15.0 prior to 0.15.1. The issue arises because the Helm deployer did not properly implement ServiceAccount impersonation in two scenarios. This flaw allows a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on all downstream clusters targeted by their GitRepo. The vulnerability breaks Fleet's multi-tenant impersonation model, potentially leading to unauthorized access to sensitive information.

Impact

Exploitation of this vulnerability allows for unauthorized access to secrets from any namespace on downstream clusters targeted by the tenant's GitRepo, bypassing the intended RBAC restrictions. This could include access to sensitive credentials for external services, adding a layer of unpredictability to the impact.

Remediation

Users can update their Fleet deployment to version 0.11.13. For Rancher versions 2.14.1, 2.13.5, 2.12.9, and 2.11.13, the issues have been patched. In multi-tenant deployments, no workaround fully mitigates the issue, but it is advisable to restrict git push access to trusted users and audit deployed chart templates for cross-namespace references.