CVE-2023-32191 Overview
CVE-2023-32191 is a privilege escalation vulnerability in Rancher Kubernetes Engine (RKE). When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. The information available in this configmap allows non-admin users to escalate their privileges to admin, compromising the entire Kubernetes cluster security model.
Critical Impact
Non-admin users can leverage exposed cluster state information to escalate privileges to full cluster administrator, potentially gaining complete control over all workloads, secrets, and resources within the Kubernetes environment.
Affected Products
- Rancher Kubernetes Engine (RKE)
- Kubernetes clusters provisioned by RKE
- Rancher managed Kubernetes deployments
Discovery Timeline
- 2024-10-16 - CVE CVE-2023-32191 published to NVD
- 2024-10-16 - Last updated in NVD database
Technical Details for CVE-2023-32191
Vulnerability Analysis
This vulnerability falls under the category of Insecure Storage of Sensitive Information (CWE-922). When RKE provisions a Kubernetes cluster, it creates a configmap named full-cluster-state within the kube-system namespace. This configmap contains sensitive cluster state information that should be restricted to administrators only.
The fundamental issue is that the configmap's default access controls do not adequately restrict read access. Users with basic cluster access can retrieve the contents of this configmap, which contains information sufficient to escalate their privileges to cluster administrator level. This represents a broken access control vulnerability where the principle of least privilege is violated.
Root Cause
The root cause is the storage of sensitive cluster provisioning state in a configmap without appropriate Role-Based Access Control (RBAC) restrictions. The full-cluster-state configmap in the kube-system namespace contains credentials or configuration data that can be leveraged for privilege escalation. This design decision exposes sensitive information to users who should not have access to cluster administration capabilities.
Attack Vector
The attack vector is network-based and requires low privileges to exploit. An authenticated user with basic access to the Kubernetes cluster can:
- Query the kube-system namespace for the full-cluster-state configmap
- Extract sensitive cluster state information from the configmap contents
- Utilize the exposed information to escalate privileges to cluster administrator
The vulnerability requires no user interaction and can be exploited by any authenticated user with read access to configmaps in the kube-system namespace. The scope is changed, meaning successful exploitation affects resources beyond the vulnerable component's security scope.
The attack can be performed using standard Kubernetes API calls or kubectl commands to retrieve the configmap data. For detailed technical information, refer to the GitHub Security Advisory GHSA-6gr4-52w6-vmqx.
Detection Methods for CVE-2023-32191
Indicators of Compromise
- Unusual access patterns to the full-cluster-state configmap in the kube-system namespace
- Non-admin users querying configmaps in kube-system namespace
- Unexpected privilege escalation events or new cluster-admin role bindings
- Audit log entries showing GET requests to /api/v1/namespaces/kube-system/configmaps/full-cluster-state
Detection Strategies
- Enable Kubernetes audit logging and monitor for access to the full-cluster-state configmap by non-admin identities
- Implement alerting on ClusterRoleBinding or RoleBinding creations that grant admin privileges
- Deploy SentinelOne Singularity Cloud Security to detect anomalous Kubernetes API access patterns
- Review RBAC configurations to identify overly permissive access to the kube-system namespace
Monitoring Recommendations
- Configure audit policies to log all access to configmaps in the kube-system namespace at the Request level
- Set up alerts for any new cluster-admin bindings or privilege escalation attempts
- Monitor for unusual service account token usage or authentication patterns
- Implement continuous RBAC posture assessment to detect configuration drift
How to Mitigate CVE-2023-32191
Immediate Actions Required
- Restrict access to the full-cluster-state configmap by implementing appropriate RBAC policies
- Review and audit all users with read access to the kube-system namespace
- Upgrade RKE to a patched version as soon as one becomes available
- Audit cluster role bindings for any unauthorized privilege escalations that may have already occurred
Patch Information
Refer to the GitHub Security Advisory GHSA-6gr4-52w6-vmqx for the latest patch information and remediation guidance from Rancher. Additional tracking information is available via the SUSE Bugzilla CVE-2023-32191 entry.
Workarounds
- Implement a ResourceQuota or NetworkPolicy to restrict access to the kube-system namespace configmaps
- Create a restrictive RBAC Role that explicitly denies read access to the full-cluster-state configmap for non-admin users
- Consider migrating cluster state storage to a more secure location such as external secrets management
- Regularly rotate credentials and secrets that may have been exposed through the configmap
# Example RBAC configuration to restrict configmap access
# Create a Role that denies access to full-cluster-state configmap
kubectl create role restrict-cluster-state \
--verb=get,list,watch \
--resource=configmaps \
--resource-name=full-cluster-state \
-n kube-system --dry-run=client -o yaml
# Review current access to the configmap
kubectl auth can-i get configmaps/full-cluster-state -n kube-system --as=system:serviceaccount:default:default
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
