A now-patched version of Rancher, an open source Kubernetes management tool, stored secrets in plaintext, a security researcher has discovered.
The issue affected various Kubernetes objects and could enable attackers to take over entire clusters.
Rancher, which was acquired by German software provider SUSE in 2020, is popular among the DevOps and Kubernetes communities.
The platform allows developers to deploy and run Kubernetes container clusters from different providers. It also adds value by centralizing authentication and role-based access control to clusters, which allows admins to control cluster access from one location.
Linux system engineer Marco Stuurman, who made the recent discovery, stumbled on it while investigating Rancher’s service tokens. “I’m not a security researcher, but I keep my eyes open for things like this,” Stuurman told The Daily Swig.
“I fetched information from one of our Rancher set-ups and became suspicious of the token. I’ve looked into similar tokens before, so it caught my attention.”
According to Stuurman’s findings, Rancher stored sensitive fields like passwords, API keys, and account tokens in unencrypted plaintext directly on Kubernetes objects.
“Storing secrets in plaintext is indeed bad practice but sometimes needed. In this case, you can’t choose to hash the secret as this is the access key to the cluster,” Stuurman said. “The problem lies in the low privileges needed to access this key.”
