Harvester — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/harvester/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 09 Jan 2024 12:00:00 +0000SUSE Harvester Rancher Integration Vulnerable to MITM and DOShttps://feed.craftedsignal.io/briefs/2024-01-harvester-rancher-mitm/Tue, 09 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-harvester-rancher-mitm/SUSE Harvester's Rancher integration mechanism is vulnerable to a man-in-the-middle attack due to insecure TLS options, potentially leading to denial of service.SUSE Harvester, a hyperconverged infrastructure (HCI) solution, integrates with Rancher to manage Kubernetes clusters. A vulnerability exists in the cluster registration process. The registration client, responsible for establishing communication between Harvester and Rancher, uses an insecure TLS configuration by default, failing to validate the remote server’s certificate. This vulnerability, discovered in versions prior to 1.8.0, allows an attacker with network-level access to intercept and manipulate the TLS handshake, potentially redirecting cluster registration requests to a malicious server. Successful exploitation can result in unauthorized access and control over the Harvester cluster or lead to a denial of service condition due to a memory buffer overflow when processing unvalidated response payloads.

Attack Chain

  1. Attacker gains network-level access between the SUSE Virtualization instance and the Rancher Manager.
  2. The Harvester registration client attempts to establish a TLS connection with the Rancher Manager using the insecure default configuration.
  3. Attacker intercepts the TLS handshake.
  4. Attacker presents a fraudulent certificate to the Harvester registration client. Due to the lack of certificate validation, the client accepts the certificate.
  5. The Harvester registration client sends cluster registration requests to the attacker-controlled server.
  6. Attacker’s server sends a crafted response payload back to the Harvester registration client.
  7. The Harvester registration client processes the response payload without proper size validation.
  8. A memory buffer overflow occurs, leading to a crash of the SUSE Virtualization registration controller, resulting in a denial-of-service condition.

Impact

Successful exploitation of this vulnerability allows an attacker to perform a man-in-the-middle attack and potentially gain unauthorized access to the SUSE Harvester cluster. Furthermore, the vulnerability can be exploited to cause a denial-of-service condition by crashing the SUSE Virtualization registration controller. While the exact number of affected installations is unknown, organizations using SUSE Harvester versions prior to 1.8.0 are at risk. Sectors commonly using virtualization technologies, such as cloud service providers, financial institutions, and research organizations, are potentially affected.

Recommendation

  • Upgrade SUSE Virtualization to version 1.8.0 or later to patch the vulnerability as recommended by the vendor.
  • As a workaround, restrict access to the cluster-registration-url setting to authorized cluster administrators.
]]>mediumadvisorymitmdenial-of-servicevirtualization