EXECUTIVE SUMMARY:
CVE-2025-71261 with a CVSS score of 8.6 is a vulnerability in the SUSE Virtualization Registration Client, which is part of the go/github.com/harvester/harvester package, affecting versions prior to 1.8.0. The vulnerability lies in the insecure TLS option used by the registration client, which fails to verify the remote server's certificate, allowing a man-in-the-middle (MitM) attack. An attacker with network-level access between SUSE Virtualization and Rancher Manager can exploit this vulnerability to bypass TLS as a security control, misleading the registration client to send cluster registration requests to an impersonated remote service. Alternatively, the attacker can induce a memory buffer overflow, potentially crashing the SUSE Virtualization registration controller. This vulnerability grants the attacker the capability to compromise the cluster registration configuration and induce a denial-of-service (DoS) attack. The business impact and consequences of exploiting this vulnerability include unauthorized access to the cluster, loss of data integrity, and potential system crashes, all of which can lead to significant downtime and financial losses. Prerequisites for exploitation include network-level access between SUSE Virtualization and Rancher Manager, as well as the ability to manipulate the `cluster-registration-url` setting.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2025-71261 with a CVSS score of 8.6 is a vulnerability in the SUSE Virtualization Registration Client, which is part of the go/github.com/harvester/harvester package, affecting versions prior to 1.8.0. The vulnerability lies in the insecure TLS option used by the registration client, which fails to verify the remote server's certificate, allowing a man-in-the-middle (MitM) attack. An attacker with network-level access between SUSE Virtualization and Rancher Manager can exploit this vulnerability to bypass TLS as a security control, misleading the registration client to send cluster registration requests to an impersonated remote service. Alternatively, the attacker can induce a memory buffer overflow, potentially crashing the SUSE Virtualization registration controller. This vulnerability grants the attacker the capability to compromise the cluster registration configuration and induce a denial-of-service (DoS) attack. The business impact and consequences of exploiting this vulnerability include unauthorized access to the cluster, loss of data integrity, and potential system crashes, all of which can lead to significant downtime and financial losses. Prerequisites for exploitation include network-level access between SUSE Virtualization and Rancher Manager, as well as the ability to manipulate the `cluster-registration-url` setting.[emaillocker id="1283"]
RECOMMENDATION:
We strongly recommend you update github.com/harvester/harvester to below version: https://github.com/harvester/harvester/releases
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-pgh9-mpwc-8jjf