8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-32198

CVE-2023-32198: Steve doesn’t verify a server’s certificate and is susceptible to man-in-the-middle (MitM) attacks

Impact

A vulnerability has been identified in Steve where by default it was using an insecure option that did not validate the certificate presented by the remote server while performing a TLS connection. This could allow the execution of a man-in-the-middle (MitM) attack against services using Steve.

For example, Rancher relies on Steve as a dependency for its user interface (UI) to proxy requests to Kubernetes clusters. Users who have the permission to create a service in Rancher’s local cluster can take over Rancher’s UI and display their own UI to gather sensitive information. This is only possible when the setting ui-offline-preferred is manually set to remote (by default Rancher sets it to dynamic). This enables further attacks such as cross-site scripting (XSS), or tampering the UI to collect passwords from other users etc.

Please consult the associated MITRE ATT&CK - Technique - Adversary-in-the-Middle for further information about this category of attack.

Patches

Patched versions of Steve include releases v0.2.1, v0.3.3, v0.4.4 and v0.5.13.

This vulnerability is addressed by changing Steve to always verify a server’s certificate based on Go’s TLS settings.

Workarounds

If you can't upgrade to a fixed version, please make sure that you are only using Steve to connect to trusted servers.

References

If you have any questions or comments about this advisory:

Reach out to the SUSE Rancher Security team for security related inquiries.
Open an issue in the Rancher repository.
Verify with our support matrix and product support lifecycle.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-32198

CVE-2023-32198:

8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/rancher/steve	go	>= 0.2.0, < 0.2.1	0.2.1
github.com/rancher/steve	go	>= 0.4.0, < 0.4.4	0.4.4
github.com/rancher/steve	go	>= 0.5.0, < 0.5.13	0.5.13
github.com/rancher/steve	go	>= 0.3.0, < 0.3.3	0.3.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in Steve not verifying server certificates during TLS connections, specifically when fetching UI assets from a remote URL. The provided patches (e.g., 9dc48c7b361a927ce982895b8397bca5acd1baae) clearly show changes in pkg/ui/handler.go.

The global variable insecureClient was removed. This client was initialized with tls.Config{ InsecureSkipVerify: true }, which is the root cause of the vulnerability.
The function serveIndex was modified to stop using this insecureClient. Instead, it now creates a new http.Client with default (secure) TLS settings for each call. This function directly performed the insecure GET request using the insecureClient.
The method (u *Handler) IndexFile calls serveIndex when the UI path is determined to be a URL. This makes IndexFile a key part of the vulnerable execution path when remote UI fetching is enabled.

Therefore, serveIndex is directly vulnerable as it performed the insecure network call, and (*Handler).IndexFile is vulnerable as it orchestrates the call to serveIndex with user-controlled or configuration-controlled URLs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-32198: Steve doesn’t verify a server’s certificate and is susceptible to man-in-the-middle (MitM) attacks

Impact

Patches

Workarounds

References

CVE-2023-32198:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

CVE-2023-32198: Steve doesn’t verify a server’s certificate and is susceptible to man-in-the-middle (MitM) attacks

Impact

Patches

Workarounds

References

8.1

8.1

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI