CVE-2024-58259: Rancher affected by unauthenticated Denial of Service

A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unauthenticated) and authenticated API endpoints. This allows a malicious user to exploit this by sending excessively large payloads, which are fully loaded into memory during processing. This could result in:

• Denial of Service (DoS): The server process may crash or become unresponsive when memory consumption exceeds available resources.
• Unauthenticated and authenticated exploitation: While the issue was initially observed in unauthenticated /v3-public/* endpoints, the absence of request body size limits also affected several authenticated APIs, broadening the potential attack surface. It’s worth noting that other areas in Rancher do implement safeguards: requests proxied to Kubernetes APIs are subject to built-in size limits enforced by the Kubernetes API server itself, and Norman-based endpoints parse input with predefined size caps. However, the absence of similar protections in other Rancher APIs increased the risk of denial-of-service (DoS) scenarios in certain contexts.

By sending large binary or text payloads to vulnerable endpoints, a malicious actor could disrupt Rancher’s availability, impacting both administrative and user operations across managed clusters.

Please consult the associated MITRE ATT&CK - Technique - Network Denial of Service for further information about this category of attack.