{"id":"GHSA-7h8m-pvw3-5gh4","summary":"Rancher allows privilege escalation in Windows nodes due to Insecure Access Control Lists","details":"### Impact\n\nA vulnerability has been identified whereby Rancher Manager deployments containing Windows nodes have weak Access Control Lists (ACL), allowing `BUILTIN\\Users` or `NT AUTHORITY\\Authenticated Users` to view or edit sensitive files which could lead to privilege escalation.\n\nThe affected files include binaries, scripts, configuration and log files:\n\n```\nC:\\etc\\rancher\\wins\\config\nC:\\var\\lib\\rancher\\agent\\rancher2_connection_info.json\nC:\\etc\\rancher\\rke2\\config.yaml.d\\50-rancher.yaml\nC:\\var\\lib\\rancher\\agent\\applied\\*-*-applied.plan\nC:\\usr\\local\\bin\\rke2\nC:\\var\\lib\\rancher\\capr\\idempotence\\idempotent.sh\n```\n\nRKE2 nodes expand the list to include the files below:\n\n```\nC:\\etc\\rancher\\node\\password\nC:\\var\\lib\\rancher\\rke2\\agent\\logs\\kubelet.log\nC:\\var\\lib\\rancher\\rke2\\data\\v1.**.**-rke2r*-windows-amd64-*\\bin\\*\nC:\\var\\lib\\rancher\\rke2\\bin\\*\n```\n\n**This vulnerability is exclusive to deployments that contain Windows nodes. Linux-only environments are not affected by it.**\n\nPlease consult the associated [MITRE ATT&CK - Technique - Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068/) for further information about this category of attack.\n\n### Patches\n\nPatched versions include Rancher Manager `2.8.9` and `2.9.3`. For RKE2 Windows nodes, please refer to its [specific advisory](https://github.com/rancher/rke2/security/advisories/GHSA-x7xj-jvwp-97rv). No patches are available for 2.7, therefore users are urged to upgrade to newer minor versions or to apply the manual workaround below.\n\n\n### Workarounds\n\nUsers are advised to upgrade to a patched version of Rancher Manager. When that is not possible, users can enforce stricter ACLs for all sensitive files affected by this Security Advisory running [this](https://github.com/rancherlabs/support-tools/blob/master/windows-access-control-lists/README.md) PowerShell script as an Administrator on each node.\n\n\n### References\n\n- [CVE-2023-32197](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32197)\n- [RKE2’s GHSA-x7xj-jvwp-97rv](https://github.com/rancher/rke2/security/advisories/GHSA-x7xj-jvwp-97rv)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).","aliases":["CVE-2023-32196","CVE-2023-32197","GHSA-64jq-m7rq-768h","GO-2024-2929","GO-2024-3220"],"modified":"2025-04-17T04:11:59.845703Z","published":"2024-10-25T19:35:00Z","database_specific":{"severity":"CRITICAL","github_reviewed":true,"cwe_ids":["CWE-269","CWE-732"],"nvd_published_at":"2025-04-16T09:15:24Z","github_reviewed_at":"2024-10-25T19:35:00Z"},"references":[{"type":"WEB","url":"https://github.com/rancher/rancher/security/advisories/GHSA-64jq-m7rq-768h"},{"type":"WEB","url":"https://github.com/rancher/rancher/security/advisories/GHSA-7h8m-pvw3-5gh4"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32197"},{"type":"WEB","url":"https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32197"},{"type":"PACKAGE","url":"https://github.com/rancher/rancher"}],"affected":[{"package":{"name":"github.com/rancher/rancher","ecosystem":"Go","purl":"pkg:golang/github.com/rancher/rancher"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.7.0"},{"fixed":"2.8.9"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-7h8m-pvw3-5gh4/GHSA-7h8m-pvw3-5gh4.json"}},{"package":{"name":"github.com/rancher/rancher","ecosystem":"Go","purl":"pkg:golang/github.com/rancher/rancher"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.9.0"},{"fixed":"2.9.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-7h8m-pvw3-5gh4/GHSA-7h8m-pvw3-5gh4.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}]}