An authorization flaw was found in Pacemaker, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine.
It was found that pacemaker doesn't properly check privileges and allows to change privileges to root level for non-privileged user.
Vulnerable code (lib/common/ipc.c):
317 if(gid_cluster != 0 && gid_client != 0) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
318 uid_t best_uid = -1; /* Passing -1 to chown(2) means don't change */
319
320 if(uid_client == 0 || uid_server == 0) { /* Someone is priveliged, but the other may not be */
^^^^^^^^^^^^^^^^
321 best_uid = QB_MAX(uid_client, uid_server);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
322 crm_trace("Allowing user %u to clean up after disconnect", best_uid);
323 }
324
325 crm_trace("Giving access to group %u", gid_cluster);
326 qb_ipcs_connection_auth_set(c, best_uid, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^
327 }
Introduced with commit
https://github.com/ClusterLabs/pacemaker/commit/5fe63f902b35bfed9cee117060a3ba7830d548f5
Affected pacemaker versions
===========================
Pacemaker-1.1.10-rc2 (2013-05-03) up to the latest released version
Pacemaker-1.1.15 (2016-06-21).
This covers all pacemaker packages since at least RHEL 6.5 (up to what's
currently queued for RHEL 7.3).
Affected pacemaker daemons
==========================
- union of those running as root:
. pacemakerd
. stonithd
. lrmd
and those exposing IPC API:
. lrmd
. ...?
References
==========
Upstream patch :
https://github.com/ClusterLabs/pacemaker/commit/5d71e65049
Upstream discussion :
http://clusterlabs.org/pipermail/users/2016-November/004432.html
Disclosure email :
http://www.openwall.com/lists/oss-security/2016/11/03/5
It was found that pacemaker doesn't properly check privileges and allows to change privileges to root level for non-privileged user. Vulnerable code (lib/common/ipc.c): 317 if(gid_cluster != 0 && gid_client != 0) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 318 uid_t best_uid = -1; /* Passing -1 to chown(2) means don't change */ 319 320 if(uid_client == 0 || uid_server == 0) { /* Someone is priveliged, but the other may not be */ ^^^^^^^^^^^^^^^^ 321 best_uid = QB_MAX(uid_client, uid_server); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 322 crm_trace("Allowing user %u to clean up after disconnect", best_uid); 323 } 324 325 crm_trace("Giving access to group %u", gid_cluster); 326 qb_ipcs_connection_auth_set(c, best_uid, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^ 327 } Introduced with commit https://github.com/ClusterLabs/pacemaker/commit/5fe63f902b35bfed9cee117060a3ba7830d548f5 Affected pacemaker versions =========================== Pacemaker-1.1.10-rc2 (2013-05-03) up to the latest released version Pacemaker-1.1.15 (2016-06-21). This covers all pacemaker packages since at least RHEL 6.5 (up to what's currently queued for RHEL 7.3). Affected pacemaker daemons ========================== - union of those running as root: . pacemakerd . stonithd . lrmd and those exposing IPC API: . lrmd . ...? References ========== Upstream patch : https://github.com/ClusterLabs/pacemaker/commit/5d71e65049 Upstream discussion : http://clusterlabs.org/pipermail/users/2016-November/004432.html Disclosure email : http://www.openwall.com/lists/oss-security/2016/11/03/5