GHSA-x7xj-jvwp-97rv: 
vulnerability analysis and mitigation

A critical vulnerability (CVE-2023-32197) has been identified in RKE2 deployments affecting Windows nodes, discovered and disclosed on October 25, 2024. The vulnerability affects RKE2 versions 1.27.0-1.27.15, 1.28.0-1.28.11, 1.29.0-1.29.6, and 1.30.0-1.30.2. This security issue is exclusive to Windows environments, with Linux environments remaining unaffected (GitHub Advisory).

The vulnerability stems from weak Access Control Lists (ACLs) in RKE2 Windows nodes, which incorrectly allow BUILTIN\Users or NT AUTHORITY\Authenticated Users to view or edit sensitive files. The affected files include critical system components such as password files, log files, and binary directories located in paths like C:\etc\rancher\node\password, C:\var\lib\rancher\rke2\agent\logs\kubelet.log, and various binary locations under C:\var\lib\rancher\rke2. The vulnerability has been assigned a CVSS v3.1 score of 9.1 (Critical), with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (GitHub Advisory).

The vulnerability enables potential privilege escalation through unauthorized access to sensitive files. Affected systems may experience compromised confidentiality, integrity, and availability of critical system components. The scope of impact is particularly severe as it allows attackers to view and modify sensitive configuration files and binaries, potentially leading to system compromise (GitHub Advisory).

Patched versions have been released, including RKE2 1.31.0, 1.30.2, 1.29.6, 1.28.11, and 1.27.15. Users are strongly advised to perform a fresh installation of their RKE2 Windows nodes using a patched version. For cases where immediate patching is not possible, users can implement a temporary workaround by enforcing stricter ACLs for all affected files using a PowerShell script that must be run as an Administrator on each node (GitHub Advisory).