RancherOS 1.6.x < 1.6.28 / 2.0.x < 2.0.15 / 2.1.x < 2.1.10 / 2.2.x < 2.2.4 Arbitrary File Read

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(128056);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/19");

  script_cve_id("CVE-2019-12274");

  script_name(english:"RancherOS 1.6.x < 1.6.28 / 2.0.x < 2.0.15 / 2.1.x < 2.1.10 / 2.2.x < 2.2.4 Arbitrary File Read");

  script_set_attribute(attribute:"synopsis", value:
"A Docker container of Rancher installed on the remote host is missing a security patch.");
  script_set_attribute(attribute:"description", value:
"In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the 
Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The 
problem is that a user could choose to post a sensitive file such as /root/.kube/config or 
/var/lib/rancher/management-state/cred/kubeconfig-system.yaml.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version 
number.");
  # https://forums.rancher.com/t/rancher-release-v2-2-4-addresses-rancher-cve-2019-12274-and-cve-2019-12303/14466
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?76c65d4b");
  # https://github.com/rancher/rancher/releases/tag/v2.2.4
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?972b6c60");
  # https://github.com/rancher/rancher/releases/tag/v2.1.10
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?48cf906b");
  # https://github.com/rancher/rancher/releases/tag/v2.0.15
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3693a71b");
  # https://github.com/rancher/rancher/releases/tag/v1.6.28
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f2d277a3");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 1.6.28 / 2.0.15 / 2.1.10 / 2.2.4 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12274");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/06/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/22");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/a:rancher_labs:rancher");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("rancher_local_detection.nbin", "rancher_web_ui_detect.nbin");
  script_require_keys("installed_sw/Rancher", "Settings/ParanoidReport");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

app = 'Rancher';

get_install_count(app_name:app, exit_if_zero:TRUE);
app_info = vcf::combined_get_app_info(app:app);

if (report_paranoia < 2) audit(AUDIT_PARANOID);

constraints = [
  {'min_version'   : '1.6.0',  'fixed_version' : '1.6.28'},
  {'min_version'   : '2.0.0',  'fixed_version' : '2.0.15'},
  {'min_version'   : '2.1.0',  'fixed_version' : '2.1.10'},
  {'min_version'   : '2.2.0',  'fixed_version' : '2.2.4'}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);