Bug 1379784 (CVE-2016-7797)

Summary: CVE-2016-7797 pacemaker: pacemaker remote nodes vulnerable to hijacking, resulting in a DoS attack
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abeekhof, cbuissar, cfeist, kgaillot, security-response-team, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that the connection between a pacemaker cluster and a pacemaker_remote node could be shut down using a new unauthenticated connection. A remote attacker could use this flaw to cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 08:19:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1312094, 1389439, 1389440    
Bug Blocks: 1379785    

Description Adam Mariš 2016-09-27 16:20:29 UTC 
If a corosync node is connected to a pacemaker_remote node, the
connection can be trivially killed simply by connecting to the remote on its
standard TCP port (typically 3121):

2016-02-18T18:06:45.258661+00:00 d52-54-77-77-77-01 crmd[2637]:    error:
Unexpected pacemaker_remote client takeover. Disconnecting

Takeover is allowed in order to support migration of the remote primitive from
one corosync node to another, but since this is a trivial denial of service
attack, it should only be allowed once a valid authkey is provided.

=> Upstream bug :
 - Bug 5269 - DoS: valid authkey should be required for takeover of a Pacemaker remote
http://bugs.clusterlabs.org/show_bug.cgi?id=5269

=> Upstream fix :
 - Fix: remote: cl#5269 - Notify other clients of a new connection only if the handshake has completed (bsc#967388)
https://github.com/ClusterLabs/pacemaker/commit/5ec24a26

Resolved in upstream pacemaker 1.1.15
Comment 3 Cedric Buissart 2016-10-03 09:29:41 UTC 
=> Fedora is not affected since fedora 23 and 24 are using pacemaker-1.1.15.

=> Resolved in RHEL6.8, pacemaker-1.1.14-8.el6, via the following bugzilla :
 - Bug 1312092 - crmd can crash after unexpected remote connection takeover
https://bugzilla.redhat.com/show_bug.cgi?id=1312092

Corresponding errata : https://rhn.redhat.com/errata/RHBA-2016-0856.html

=> Planned resolution in RHEL7 via the following bugzilla :
 - Bug 1312094 - crmd can crash after unexpected remote connection takeover
https://bugzilla.redhat.com/show_bug.cgi?id=1312094
Comment 5 Cedric Buissart 2016-10-27 09:09:22 UTC 
Acknowledgments:

Name: Alain Moulle (ATOS/BULL)
Comment 6 errata-xmlrpc 2016-11-03 19:00:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2578 https://rhn.redhat.com/errata/RHSA-2016-2578.html