| Summary: | CVE-2016-7035 pacemaker: Privilege escalation due to improper guarding of IPC communication | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | unspecified | CC: | abeekhof, btotty, cbuissar, cfeist, jpokorny, kgaillot, security-response-team, slong, yozone | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pacemaker 1.1.16 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: |
An authorization flaw was found in Pacemaker, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-11-08 13:49:04 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Bug Depends On: | 1369467, 1374774, 1374775, 1374776, 1374777, 1391386 | ||||||
| Bug Blocks: | 1369733, 1379785 | ||||||
| Attachments: |
|
||||||
Acknowledgments: Name: Jan "poki" Pokorny (Red Hat), Alain Moulle (ATOS/BULL) *** Bug 1369467 has been marked as a duplicate of this bug. *** *** Bug 1379782 has been marked as a duplicate of this bug. *** Created pacemaker tracking bugs for this issue: Affects: fedora-all [bug 1391386] Created attachment 1216896 [details]
Fix, latest version
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2614 https://rhn.redhat.com/errata/RHSA-2016-2614.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:2675 https://rhn.redhat.com/errata/RHSA-2016-2675.html |
It was found that pacemaker doesn't properly check privileges and allows to change privileges to root level for non-privileged user. Vulnerable code (lib/common/ipc.c): 317 if(gid_cluster != 0 && gid_client != 0) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 318 uid_t best_uid = -1; /* Passing -1 to chown(2) means don't change */ 319 320 if(uid_client == 0 || uid_server == 0) { /* Someone is priveliged, but the other may not be */ ^^^^^^^^^^^^^^^^ 321 best_uid = QB_MAX(uid_client, uid_server); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 322 crm_trace("Allowing user %u to clean up after disconnect", best_uid); 323 } 324 325 crm_trace("Giving access to group %u", gid_cluster); 326 qb_ipcs_connection_auth_set(c, best_uid, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^ 327 } Introduced with commit https://github.com/ClusterLabs/pacemaker/commit/5fe63f902b35bfed9cee117060a3ba7830d548f5 Affected pacemaker versions =========================== Pacemaker-1.1.10-rc2 (2013-05-03) up to the latest released version Pacemaker-1.1.15 (2016-06-21). This covers all pacemaker packages since at least RHEL 6.5 (up to what's currently queued for RHEL 7.3). Affected pacemaker daemons ========================== - union of those running as root: . pacemakerd . stonithd . lrmd and those exposing IPC API: . lrmd . ...? References ========== Upstream patch : https://github.com/ClusterLabs/pacemaker/commit/5d71e65049 Upstream discussion : http://clusterlabs.org/pipermail/users/2016-November/004432.html Disclosure email : http://www.openwall.com/lists/oss-security/2016/11/03/5