CVE-2022-29186 is a vulnerability identified in Rundeck, an open-source automation service that provides a web console, command line tools, and a WebAPI for managing automation workflows. The issue specifically affects Rundeck Docker images (community and enterprise editions) up to version 4.2.1, where a pre-generated SSH keypair (id_rsa and id_rsa.pub) is embedded within the Docker image. This hard-coded cryptographic key violates secure key management practices (CWE-321). If the public key (id_rsa.pub) from the Docker image is copied into the authorized_keys file on any remote host, it would allow anyone possessing the corresponding private key (id_rsa) to gain SSH access to that host without further authentication. This creates a significant risk of unauthorized access and potential lateral movement within affected environments. Notably, this vulnerability does not impact Rundeck installations using Debian, RPM, or .WAR packages, only Docker-based deployments. The vulnerability requires that the public key be explicitly copied to authorized_keys on remote hosts, so exploitation depends on misconfiguration or improper deployment practices. A patch has been introduced in Rundeck's main branch that removes the pre-generated SSH keypair from the Docker images. However, this patch does not revoke or remove any keys already deployed on hosts. Therefore, remediation requires running a script across the environment to detect and rotate any exposed keys. Workarounds include avoiding use of the pre-existing public key from the Docker image and removing any such keys from authorized_keys files if they have been deployed. There are no known exploits in the wild at this time, but the vulnerability presents a medium severity risk due to the potential for unauthorized access if misconfigured.

For European organizations using Rundeck Docker images up to version 4.2.1, this vulnerability could lead to unauthorized SSH access to critical infrastructure if the exposed public key has been copied to authorized_keys on remote hosts. This could compromise confidentiality by allowing attackers to access sensitive data, integrity by enabling unauthorized changes to systems or automation workflows, and availability by potentially disrupting automated processes or deploying malicious commands. The risk is heightened in environments where Rundeck is used to automate critical IT operations, DevOps pipelines, or cloud infrastructure management. Unauthorized access could facilitate lateral movement, privilege escalation, or deployment of ransomware or other malware. Given the reliance on automation in many European enterprises, especially in sectors like finance, manufacturing, and critical infrastructure, the impact could be significant if the vulnerability is exploited. However, the vulnerability requires a specific misconfiguration (copying the public key to authorized_keys), which may limit widespread exploitation. The absence of known active exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks. Organizations that have not updated or audited their Rundeck Docker deployments remain at risk.

1. Immediately audit all Rundeck Docker deployments to identify if the pre-generated SSH public key (id_rsa.pub) from the Docker image has been copied into any authorized_keys files on remote hosts. 2. Run the official remediation script provided by Rundeck to search for and rotate any exposed SSH keys across the environment. 3. Upgrade Rundeck Docker images to versions later than 4.2.1 where the pre-generated SSH keypair has been removed. 4. Remove any instances of the pre-generated public key from authorized_keys files on all hosts to prevent unauthorized access. 5. Implement strict configuration management and deployment policies to prevent copying of embedded keys from Docker images into production environments. 6. Monitor SSH access logs for unusual login attempts using the exposed key. 7. Consider deploying SSH key management solutions that enforce unique, per-host keys and prevent use of hard-coded or shared keys. 8. Educate DevOps and system administrators about the risks of using embedded keys in container images and the importance of key rotation and secure key handling. 9. For environments where immediate patching is not feasible, restrict network access to Rundeck Docker instances and hosts potentially affected to reduce attack surface. 10. Integrate vulnerability scanning for container images to detect embedded keys and other secrets before deployment.