Deleting PRTBs associated to a group doesn't cause deletion of corresponding RoleBindings

Vulnerability

An improper access control vulnerability (CVE-2021-36775) in SUSE Rancher affects versions prior to 2.4.18, 2.5.12, and 2.6.3 [1][4]. When removing a Project Role Template Binding (PRTB) associated with a group from a project, the corresponding RoleBinding or ClusterRoleBinding objects that grant cluster-scoped permissions to that group are not deleted [2][4]. This occurs because the authorization logic does not properly clean up bindings when the PRTB is removed [4].

Exploitation

To exploit this vulnerability, an attacker must be a member of a group that was previously granted a project role via a PRTB [4]. The attacker only needs authenticated access to Rancher. No special privileges are required beyond membership in the affected group [4]. The exploitation occurs when an administrator removes the project role from the group; the stale bindings remain, allowing the attacker to continue accessing cluster-scoped resources that should have been revoked [2][4].

Impact

Successful exploitation allows an authenticated user of an affected group to retain access to cluster-scoped resources after their project role has been removed [4]. The level of retained access depends on the original permissions granted by the removed project role [4]. This is a violation of the principle of least privilege and can lead to unauthorized information disclosure, data modification, or further compromise, depending on the specific permissions that were not revoked [1][4].

Mitigation

SUSE Rancher has released patched versions 2.4.18, 2.5.12, and 2.6.3 to fix this issue [4]. Users should upgrade to these versions or later. There is no direct workaround aside from limiting access in Rancher to trusted users [4]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.