Bug 1152544 (CVE-2014-3699)
Summary: | CVE-2014-3699 eDeploy: Remote code execution due to cPickle deserialization of untrusted data | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | David Jorm <djorm> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | grocha, jrusnack, mjc, security-response-team, tdecacqu, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-03-17 23:21:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1152549 |
Description
David Jorm
2014-10-14 11:42:05 UTC
Acknowledgements: This issue was discovered by Kurt Seifried of Red Hat Product Security. So in src/netdetect.py and src/health_protocol.py we send and receive pickled data, no authentication, so anyone with network access == code execution Code, snipped, basically: src/netdetect.py def start_sync_bench_server(): '''Server is made for receiving keepalives and manage them.''' ''' Let's bind a server to the Multicast group ''' ''' Let's get keepalives from servers ''' answer = cPickle.loads(sock.recv(10240)) def start_discovery_server(): '''Server is made for receiving keepalives and manage them.''' ''' Let's bind a server to the Multicast group ''' ''' Until we got a synthesis list from another server ''' while not synthesis: answer = {} ''' Let's get keepalives from servers ''' answer = cPickle.loads(sock.recv(10240)) def start_client(mode, max_clients=0): ''' While we are in discovery mode, let's send keepalives ''' while discovery: sys.stderr.write("Sending keepalive for %s\n" % my_mac_addr) sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT)) sys.stderr.write("Sending Ready To Bench for %s\n" % my_mac_addr) sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT)) sys.stderr.write("Sending Go !\n") sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT_GO)) def scrub_timestamp(): '''Scrubing deletes server that didn't sent keepalive on time.''' sock.sendto(cPickle.dumps(server_list), (MCAST_GRP, MCAST_PORT)) sys.stderr.write("No remote system detected, exiting\n") sock.sendto(cPickle.dumps(message), (MCAST_GRP, MCAST_PORT)) ''' It's time to send the synthesis to the other nodes ''' leader = True sock.sendto(cPickle.dumps(server_list), (MCAST_GRP, MCAST_PORT)) def wait_for_go(): global ready_to_bench ''' Let's bind a server to the Multicast group ''' ''' Let's get keepalives from servers ''' answer = cPickle.loads(sock.recv(10240)) =============================================================================== src/health_protocol.py def start_sync_bench_server(): '''Server is made for receiving keepalives and manage them.''' ''' Let's bind a server to the Multicast group ''' sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) ''' Let's get keepalives from servers ''' answer = cPickle.loads(sock.recv(10240)) def start_discovery_server(): '''Server is made for receiving keepalives and manage them.''' ''' Let's bind a server to the Multicast group ''' ''' Until we got a synthesis list from another server ''' while not synthesis: answer = {} ''' Let's get keepalives from servers ''' answer = cPickle.loads(sock.recv(10240)) def start_client(mode, max_clients=0): '''Client is made for generating keepalives.''' ''' Let's prepare the socket ''' ''' While we are in discovery mode, let's send keepalives ''' while discovery: sys.stderr.write("Sending keepalive for %s\n" % my_mac_addr) sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT)) while ready_to_bench: sys.stderr.write("Sending Ready To Bench for %s\n" % my_mac_addr) sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT)) sys.stderr.write("Sending Go !\n") sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT_GO)) def scrub_timestamp(): '''Scrubing deletes server that didn't sent keepalive on time.''' sock.sendto(cPickle.dumps(server_list), sys.stderr.write("No remote system detected, exiting\n") sock.sendto(cPickle.dumps(message), ''' It's time to send the synthesis to the other nodes ''' leader = True sock.sendto(cPickle.dumps(server_list), def wait_for_go(): global ready_to_bench ''' Let's bind a server to the Multicast group ''' ''' Let's get keepalives from servers ''' answer = cPickle.loads(sock.recv(10240)) This is now public https://github.com/enovance/edeploy/issues/229 Statement: Red Hat does not currently ship eNovance edeploy in a product form and as such this issue has been filed upstream. |