From 32d05e9489924e53c6f64d5ea1d2f2ddf4ea3288 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Wed, 1 May 2024 13:10:23 -0400 Subject: [PATCH] Added note about cve-2024-22030 to security faq (#1244) * added note about cve-2024-22030 to security faq * Apply suggestions from code review Co-authored-by: Sunil Singh * Apply suggestions from code review Co-authored-by: Billy Tat * suggestions from Slack applied * versioning --------- Co-authored-by: Sunil Singh Co-authored-by: Billy Tat --- docs/faq/security.md | 14 +++++++++----- versioned_docs/version-2.7/faq/security.md | 14 +++++++++----- versioned_docs/version-2.8/faq/security.md | 14 +++++++++----- 3 files changed, 27 insertions(+), 15 deletions(-) diff --git a/docs/faq/security.md b/docs/faq/security.md index 46f774bf722..08fd8422730 100644 --- a/docs/faq/security.md +++ b/docs/faq/security.md @@ -7,12 +7,16 @@ title: Security FAQ -**Is there a Hardening Guide?** +### Is there a Hardening Guide? -The Hardening Guide is now located in the main [Security](../reference-guides/rancher-security/rancher-security.md) section. +The Hardening Guide is located in the main [Security](../reference-guides/rancher-security/rancher-security.md) section. -
- -**What are the results of Rancher's Kubernetes cluster when it is CIS benchmarked?** +### Have hardened Rancher Kubernetes clusters been evaluated by the CIS Kubernetes Benchmark? Where can I find the results? We have run the CIS Kubernetes benchmark against a hardened Rancher Kubernetes cluster. The results of that assessment can be found in the main [Security](../reference-guides/rancher-security/rancher-security.md) section. + +### How does Rancher verify communication with downstream clusters, and what are some associated security concerns? + +Communication between the Rancher server and downstream clusters is performed through agents. Rancher uses either a registered certificate authority (CA) bundle or the local trust store to verify communication between Rancher agents and the Rancher server. Using a CA bundle for verification is more strict, as only the certificates based on that bundle are trusted. If TLS verification for a explicit CA bundle fails, Rancher may fall back to using the local trust store for verifying future communication. Any CA within the local trust store can then be used to generate a valid certificate. + +As described in [Rancher Security Update CVE-2024-22030](https://www.suse.com/c/rancher-security-update/), under a narrow set of circumstances, malicious actors can take over Rancher nodes by exploiting the behavior of Rancher CAs. For the attack to succeed, the malicious actor must generate a valid certificate from either a valid CA in the targeted Rancher server, or from a valid registered CA. The attacker also needs to either hijack or spoof the Rancher server-url as a preliminary step. Rancher is currently evaluating Rancher CA behavior to mitigate against this and any similar avenues of attack. diff --git a/versioned_docs/version-2.7/faq/security.md b/versioned_docs/version-2.7/faq/security.md index 46f774bf722..08fd8422730 100644 --- a/versioned_docs/version-2.7/faq/security.md +++ b/versioned_docs/version-2.7/faq/security.md @@ -7,12 +7,16 @@ title: Security FAQ -**Is there a Hardening Guide?** +### Is there a Hardening Guide? -The Hardening Guide is now located in the main [Security](../reference-guides/rancher-security/rancher-security.md) section. +The Hardening Guide is located in the main [Security](../reference-guides/rancher-security/rancher-security.md) section. -
- -**What are the results of Rancher's Kubernetes cluster when it is CIS benchmarked?** +### Have hardened Rancher Kubernetes clusters been evaluated by the CIS Kubernetes Benchmark? Where can I find the results? We have run the CIS Kubernetes benchmark against a hardened Rancher Kubernetes cluster. The results of that assessment can be found in the main [Security](../reference-guides/rancher-security/rancher-security.md) section. + +### How does Rancher verify communication with downstream clusters, and what are some associated security concerns? + +Communication between the Rancher server and downstream clusters is performed through agents. Rancher uses either a registered certificate authority (CA) bundle or the local trust store to verify communication between Rancher agents and the Rancher server. Using a CA bundle for verification is more strict, as only the certificates based on that bundle are trusted. If TLS verification for a explicit CA bundle fails, Rancher may fall back to using the local trust store for verifying future communication. Any CA within the local trust store can then be used to generate a valid certificate. + +As described in [Rancher Security Update CVE-2024-22030](https://www.suse.com/c/rancher-security-update/), under a narrow set of circumstances, malicious actors can take over Rancher nodes by exploiting the behavior of Rancher CAs. For the attack to succeed, the malicious actor must generate a valid certificate from either a valid CA in the targeted Rancher server, or from a valid registered CA. The attacker also needs to either hijack or spoof the Rancher server-url as a preliminary step. Rancher is currently evaluating Rancher CA behavior to mitigate against this and any similar avenues of attack. diff --git a/versioned_docs/version-2.8/faq/security.md b/versioned_docs/version-2.8/faq/security.md index 46f774bf722..08fd8422730 100644 --- a/versioned_docs/version-2.8/faq/security.md +++ b/versioned_docs/version-2.8/faq/security.md @@ -7,12 +7,16 @@ title: Security FAQ -**Is there a Hardening Guide?** +### Is there a Hardening Guide? -The Hardening Guide is now located in the main [Security](../reference-guides/rancher-security/rancher-security.md) section. +The Hardening Guide is located in the main [Security](../reference-guides/rancher-security/rancher-security.md) section. -
- -**What are the results of Rancher's Kubernetes cluster when it is CIS benchmarked?** +### Have hardened Rancher Kubernetes clusters been evaluated by the CIS Kubernetes Benchmark? Where can I find the results? We have run the CIS Kubernetes benchmark against a hardened Rancher Kubernetes cluster. The results of that assessment can be found in the main [Security](../reference-guides/rancher-security/rancher-security.md) section. + +### How does Rancher verify communication with downstream clusters, and what are some associated security concerns? + +Communication between the Rancher server and downstream clusters is performed through agents. Rancher uses either a registered certificate authority (CA) bundle or the local trust store to verify communication between Rancher agents and the Rancher server. Using a CA bundle for verification is more strict, as only the certificates based on that bundle are trusted. If TLS verification for a explicit CA bundle fails, Rancher may fall back to using the local trust store for verifying future communication. Any CA within the local trust store can then be used to generate a valid certificate. + +As described in [Rancher Security Update CVE-2024-22030](https://www.suse.com/c/rancher-security-update/), under a narrow set of circumstances, malicious actors can take over Rancher nodes by exploiting the behavior of Rancher CAs. For the attack to succeed, the malicious actor must generate a valid certificate from either a valid CA in the targeted Rancher server, or from a valid registered CA. The attacker also needs to either hijack or spoof the Rancher server-url as a preliminary step. Rancher is currently evaluating Rancher CA behavior to mitigate against this and any similar avenues of attack.