Headline
GHSA-h773-7gf7-9m2x: NeuVector is shipping cryptographic material into its binary
Impact
NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.
In the patched version, NeuVector leverages the Kubernetes secret neuvector-store-secret in neuvector namespace to dynamically generate cryptographically secure random keys. This approach removes the reliance on static key values and ensures that encryption keys are managed securely within Kubernetes.
During rolling upgrade or restoring from persistent storage, the NeuVector controller checks each encrypted configured field. If a sensitive field in the configuration is found to be encrypted by the default encryption key, it’s decrypted with the default encryption key and then re-encrypted with the new dynamic encryption key.
If the NeuVector controller does not have the correct RBAC for accessing the new secret, it writes this error log :
Required Kubernetes RBAC for secrets are not found and exits.
The device encryption key is rotated every 3 months. For details, please refer to this Rotating Self-Signed Certificate documentation.
Patches
Patched versions include release v5.4.7 and above.
Workarounds
There is no workaround for this issue. Users are recommended to upgrade, as soon as possible, to a version of NeuVector that contains the fix.
References
If you have any questions or comments about this advisory:
- Reach out to the SUSE Rancher Security team for security related inquiries.
- Open an issue in the NeuVector repository.
- Verify with our support matrix and product support lifecycle.
Impact
NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.
In the patched version, NeuVector leverages the Kubernetes secret neuvector-store-secret in neuvector namespace to dynamically generate cryptographically secure random keys. This approach removes the reliance on static key values and ensures that encryption keys are managed securely within Kubernetes.
During rolling upgrade or restoring from persistent storage, the NeuVector controller checks each encrypted configured field. If a sensitive field in the configuration is found to be encrypted by the default encryption key, it’s decrypted with the default encryption key and then re-encrypted with the new dynamic encryption key.
If the NeuVector controller does not have the correct RBAC for accessing the new secret, it writes this error log :
Required Kubernetes RBAC for secrets are not found and exits.
The device encryption key is rotated every 3 months. For details, please refer to this Rotating Self-Signed Certificate documentation.
Patches
Patched versions include release v5.4.7 and above.
Workarounds
There is no workaround for this issue. Users are recommended to upgrade, as soon as possible, to a version of NeuVector that contains the fix.
References
If you have any questions or comments about this advisory:
- Reach out to the SUSE Rancher Security team for security related inquiries.
- Open an issue in the NeuVector repository.
- Verify with our support matrix and product support lifecycle.
References
- GHSA-h773-7gf7-9m2x
- neuvector/neuvector@084a437