CVE-2021-32001 in Rancher
Summary
by MITRE • 07/28/2021
A Missing Encryption of Sensitive Data vulnerability in k3s, kde2 of SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup to extract the cluster's confidential keying material (cluster certificate authority private keys, secrets encryption configuration passphrase, etc) and decrypt it, without having to know the token value. This issue affects: SUSE Rancher K3s version v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1 and prior versions; RKE2 version v1.19.12+rke2r1, v1.20.8+rke2r1, v1.21.2+rke2r1 and prior versions.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/05/2021
The CVE-2021-32001 vulnerability represents a critical missing encryption of sensitive data flaw in SUSE Rancher K3s and RKE2 container orchestration platforms. This vulnerability stems from inadequate protection of confidential keying material within the datastore, creating a severe security risk for Kubernetes clusters deployed using these platforms. The issue manifests when attackers gain direct access to the datastore or obtain backups of it, enabling them to extract and decrypt sensitive information without requiring knowledge of authentication tokens or other access credentials. The vulnerability affects multiple versions of both K3s and RKE2, specifically v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1 and their corresponding RKE2 versions, indicating a widespread impact across these container orchestration systems.
The technical implementation of this vulnerability involves the improper handling of sensitive cryptographic materials within the datastore storage mechanism. Cluster certificate authority private keys, secrets encryption configuration passphrases, and other confidential keying material are stored without adequate encryption protection, making them directly accessible to any entity with datastore access. This design flaw directly violates security principles outlined in the OWASP Top Ten and aligns with CWE-312 (Cleartext Storage of Sensitive Information) and CWE-310 (Cryptographic Issues) categories. The vulnerability operates at the data persistence layer where sensitive information should be encrypted at rest but remains in plaintext format, creating a fundamental weakness in the security architecture.
The operational impact of CVE-2021-32001 extends beyond simple data exposure to encompass complete compromise of cluster security posture. Attackers exploiting this vulnerability can gain unauthorized access to cluster certificates, potentially enabling them to impersonate legitimate cluster components, decrypt sensitive application data stored in the cluster, and establish persistent access to the containerized environment. The absence of token requirement for data extraction means that even users with limited access can escalate their privileges by simply accessing the datastore directly. This vulnerability directly maps to ATT&CK technique T1552.001 (Unsecured Credentials) and T1552.004 (Credentials in Files) as it allows attackers to extract and utilize cryptographic keys without traditional authentication mechanisms. The impact is particularly severe for organizations relying on these platforms for production workloads where sensitive data and critical infrastructure components are deployed.
Mitigation strategies for CVE-2021-32001 must address both immediate remediation and long-term architectural improvements to prevent similar vulnerabilities. Organizations should immediately upgrade to patched versions of K3s and RKE2 where available, as these releases implement proper encryption of sensitive data within the datastore. Additionally, implementing strict access controls on datastore storage locations, utilizing network segmentation to limit access to the datastore, and deploying encrypted storage solutions can provide additional layers of protection. The implementation of proper key management practices, including regular key rotation and secure key storage mechanisms, should be enforced. Organizations should also conduct comprehensive security audits of their container orchestration environments to identify other potential data exposure points and ensure that all sensitive information stored in databases or file systems is properly encrypted at rest. These measures align with NIST SP 800-57 guidelines for cryptographic key management and help address the underlying architectural weaknesses that enabled this vulnerability.