When Rancher Desktop 1.2.0 was released with the dashboard as a feature preview, some users reported being prompted to provide steve with network access on Windows and macOS. Upon investigation by the Rancher Desktop team it was determined that a vulnerability was causing this request for network access.
Impact
When Rancher Desktop launched, a background service that the dashboard communicates with, is started. This service, named steve, was bound to all network interfaces on the system making it accessible to the local network. This API is used by the dashboard to perform its operations allowing anyone on the network access to it.
Patches
The issue has been fixed in version 1.2.1.
Workarounds
A work around is to disallow steve from having access on the network. If it is blocked completely the dashboard will not function. Allowing only localhost to access steve will enable the dashboard to function while blocking remote traffic.
For more information
Rancher Desktop's security policy is spelled out in detail in the SECURITY document.
When Rancher Desktop 1.2.0 was released with the dashboard as a feature preview, some users reported being prompted to provide steve with network access on Windows and macOS. Upon investigation by the Rancher Desktop team it was determined that a vulnerability was causing this request for network access.
Impact
When Rancher Desktop launched, a background service that the dashboard communicates with, is started. This service, named steve, was bound to all network interfaces on the system making it accessible to the local network. This API is used by the dashboard to perform its operations allowing anyone on the network access to it.
Patches
The issue has been fixed in version 1.2.1.
Workarounds
A work around is to disallow steve from having access on the network. If it is blocked completely the dashboard will not function. Allowing only localhost to access steve will enable the dashboard to function while blocking remote traffic.
For more information
Rancher Desktop's security policy is spelled out in detail in the SECURITY document.