Improper Certificate Validation
CVE-2023-32198
Summary
A vulnerability has been identified in Steve, where by default it used an insecure option that did not validate the certificate presented by the remote server during a TLS connection. This could allow the execution of a Man-in-the-middle (MitM) attack against services using Steve. For example, Rancher relies on Steve as a dependency for its user interface (UI) to proxy requests to Kubernetes clusters. Users who have permission to create a service in Rancher's local cluster can take over Rancher's UI and display their own UI to gather sensitive information. This is only possible when the setting "ui-offline-preferred" is manually set to "remote" (by default, Rancher sets it to "dynamic"). This enables further attacks such as cross-site scripting (XSS) or tampering with the UI to collect passwords from other users. This issue affects github.com/rancher/steve versions prior to 0.2.1, 0.3.x prior to 0.3.3, 0.4.x prior to 0.4.4, and 0.5.x prior to 0.5.13 and 0.6.x prior to 0.6.2.
- HIGH
- NETWORK
- HIGH
- CHANGED
- NONE
- HIGH
- HIGH
- HIGH
CWE-295 - Improper Certificate Validation
The authenticity component of a web system stems from the ability to validate “Digital certificates”, which (i) establish trust between two or more entities sharing data over a network; (ii) ensure data at rest and transit is secure from unauthorized access; and (iii) check the identity of the actors that interact with the system. An application with absent or ineffective certificate validation mechanisms allows malicious users, impersonating trusted hosts, to manipulate the communication path between the client and the host, resulting in unauthorized access to data and to the application’s internal environment, and potentially enabling man-in-the-middle attacks.
References
Advisory Timeline
- Published
