CVE-2021-32001 Explained : Impact and Mitigation

K3s/RKE2 bootstrap data is encrypted with empty string if the user does not supply a token.

Understanding CVE-2021-32001

K3s in SUSE Rancher allows unauthorized access to the cluster's confidential keying material without the need to know the token value.

What is CVE-2021-32001?

This CVE affects SUSE Rancher versions of K3s and RKE2, allowing any user with direct access to the datastore to extract and decrypt critical keying material.

The Impact of CVE-2021-32001

The vulnerability can lead to unauthorized access to sensitive data such as cluster certificate authority private keys and secrets encryption configuration passphrase.

Technical Details of CVE-2021-32001

K3s and RKE2 versions v1.19.12, v1.20.8, v1.21.2, and earlier are affected by this vulnerability.

Vulnerability Description

The flaw allows attackers to decrypt the cluster's keying material without knowledge of the token value, posing a significant risk to data confidentiality.

Affected Systems and Versions

SUSE Rancher K3s versions v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1 and prior versions, and RKE2 versions v1.19.12+rke2r1, v1.20.8+rke2r1, v1.21.2+rke2r1 and earlier are impacted.

Exploitation Mechanism

Attackers with access to the datastore or its backup can exploit this vulnerability to extract and decrypt sensitive keying material.

Mitigation and Prevention

Immediate actions should be taken to secure affected systems and prevent unauthorized access to critical data.

Immediate Steps to Take

Organizations should apply the necessary patches and updates provided by SUSE to address this vulnerability promptly.

Long-Term Security Practices

Implement strict access controls, encryption best practices, and regular security audits to safeguard against similar vulnerabilities.

Patching and Updates

Stay updated with security bulletins from SUSE and apply patches promptly to mitigate the risks associated with CVE-2021-32001.