CVE-2023-32198: Steve doesn’t verify a server’s certificate and is susceptible to man-in-the-middle (MitM) attacks

A vulnerability has been identified in Steve where by default it was using an insecure option that did not validate the certificate presented by the remote server while performing a TLS connection. This could allow the execution of a man-in-the-middle (MitM) attack against services using Steve.

For example, Rancher relies on Steve as a dependency for its user interface (UI) to proxy requests to Kubernetes clusters. Users who have the permission to create a service in Rancher’s local cluster can take over Rancher’s UI and display their own UI to gather sensitive information. This is only possible when the setting ui-offline-preferred is manually set to remote (by default Rancher sets it to dynamic). This enables further attacks such as cross-site scripting (XSS), or tampering the UI to collect passwords from other users etc.

Please consult the associated MITRE ATT&CK - Technique - Adversary-in-the-Middle for further information about this category of attack.