CVE-2024-22036: Rancher Remote Code Execution via Cluster/Node Drivers

A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the chroot jail and gain root access to the Rancher container itself. In production environments, further privilege escalation is possible based on living off the land within the Rancher container itself. For the test and development environments, based on a –privileged Docker container, it is possible to escape the Docker container and gain execution access on the host system.

This happens because:

• During startup, Rancher appends the /opt/drivers/management-state/bin directory to the PATH environment variable.
• In Rancher, the binaries /usr/bin/rancher-machine, /usr/bin/helm_v3, and /usr/bin/kustomize are assigned a UID of 1001 and a GID of 127 instead of being owned by the root user.
• Rancher employs a jail mechanism to isolate the execution of node drivers from the main process. However, the drivers are executed with excessive permissions.
• During the registration of new node drivers, its binary is executed with the same user as the parent process, which could enable an attacker to gain elevated privileges by registering a malicious driver.
• Lack of validation on the driver file type, which allows symbolic links to be used.

Please consult the associated MITRE ATT&CK - Technique - Privilege Escalation and MITRE ATT&CK - Technique - Execution for further information about this category of attack.

Since they run at a privileged level, it is recommended to use trusted drivers only.