Impact
This issue only affects Rancher instances with Azure AD integration enabled, regardless of the automatically refreshing settings which are enabled by default. The users that obtained a token (or kubeconfig) to access Rancher through the following sessions are affected by this issue:
- Users using the Rancher UI.
- Users using
kubectl
based on a kubeconfig
downloaded through the Rancher UI.
- Tokens created via the Rancher UI Create API Key feature.
A bug has been identified in which permission changes in Azure AD are not reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on Azure AD, for example, to a lower privileged group, or are removed from a group, thus retaining their access to Rancher instead of losing it.
Note that the permission caching is persisted even when the Rancher Manager pod is restarted. The only way for a user to get the new permissions is to logout and login again.
Patches
Patched versions include releases 2.6.13
, 2.7.4
and later versions.
Workarounds
There is no direct mitigation besides updating Rancher to a patched version.
Credits
We would like to recognize and thank @yvespp for the responsible disclosure of this security issue.
For more information
If you have any questions or comments about this advisory:
Impact
This issue only affects Rancher instances with Azure AD integration enabled, regardless of the automatically refreshing settings which are enabled by default. The users that obtained a token (or kubeconfig) to access Rancher through the following sessions are affected by this issue:
kubectl
based on akubeconfig
downloaded through the Rancher UI.A bug has been identified in which permission changes in Azure AD are not reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on Azure AD, for example, to a lower privileged group, or are removed from a group, thus retaining their access to Rancher instead of losing it.
Note that the permission caching is persisted even when the Rancher Manager pod is restarted. The only way for a user to get the new permissions is to logout and login again.
Patches
Patched versions include releases
2.6.13
,2.7.4
and later versions.Workarounds
There is no direct mitigation besides updating Rancher to a patched version.
Credits
We would like to recognize and thank @yvespp for the responsible disclosure of this security issue.
For more information
If you have any questions or comments about this advisory: