CVE-2023-32186: Allocation of Resources Without Limits or Throttling Vulnerability in SUSE RKE2 Leading to Denial of Service

A critical vulnerability with the identifier CVE-2023-32186 has been discovered in SUSE RKE2, which affects various versions of the product. This vulnerability allows attackers with access to K3s servers apiserver/supervisor port (TCP 6443) to cause denial of service by exploiting the allocation of resources without limits or throttling.

Exploit Details

Attackers can exploit the vulnerability by creating a specially crafted request to the K3s servers apiserver/supervisor port (TCP 6443). This request will result in the allocation of resources without any limits. As a result, the targeted system may suffer from a denial of service due to resource exhaustion.

Code Snippet

The following code snippet demonstrates how an attacker could send a specially crafted request to the K3s servers apiserver/supervisor port:

import requests

attacker_payload = {
    # Specially crafted payload to exploit the vulnerability
}

target_url = 'https://target-k3s-server-IP:6443/path-to-vulnerable-endpoint';
response = requests.post(target_url, json=attacker_payload, verify=False)

if response.status_code == 200:
    print("Exploit successful")
else:
    print("Exploit failed")

Original References

- SUSE RKE2 Security Announcement
- CVE-2023-32186 - NVD Details
- Description of Allocation of Resources Without Limits or Throttling

The following mitigations can be applied to fix the vulnerability

1. Upgrade to the latest RKE2 version. The SUSE RKE2 Security Announcement provides details on which versions are no longer affected by the vulnerability.

2. Configure firewall rules to limit access to the K3s servers apiserver/supervisor port (TCP 6443) only to trusted source IP addresses.

3. Implement proper monitoring and alerting mechanisms to ensure timely detection and response to potential denial of service attacks.

Conclusion

Users of SUSE RKE2 should take this vulnerability seriously and urgently apply the appropriate mitigations to protect against denial of service attacks. Keep systems up-to-date and restrict access to the K3s servers apiserver/supervisor port (TCP 6443) to minimize the potential impact of the vulnerability.

Timeline

Published on: 09/19/2023 10:15:00 UTC
Last modified on: 09/22/2023 02:00:00 UTC