Bug 1652646 (CVE-2018-16877)

Summary: CVE-2018-16877 pacemaker: Insufficient local IPC client-server authentication on the client's side can lead to local privesc
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abeekhof, andrew, anprice, cfeist, cluster-maint, dbecker, huzaifas, jjoyce, jpokorny, jschluet, kbasil, kgaillot, lhh, lpeer, mburns, sclewis, security-response-team, sisharma, slinaber, ssaha, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pacemaker 2.0.2-rc1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way pacemaker's client-server authentication was implemented. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:43:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1694555, 1694556, 1694557, 1694558, 1700737, 1706306    
Bug Blocks: 1652647    
Attachments:
Description Flags
Cumulative patches to address CVE-2018-16877, CVE-2018-16878 and CVE-2019-3885 none

Description Pedro Sampaio 2018-11-22 14:17:41 UTC 
A flaw was found in pacemaker. Insufficient verification of client-side authentication combined with other IPC weaknesses leads to local privilege escalation.
Comment 2 Huzaifa S. Sidhpurwala 2018-12-03 10:59:11 UTC 
Acknowledgments:

Name: Jan Pokorný (Red Hat)
Comment 5 Huzaifa S. Sidhpurwala 2019-04-01 06:13:24 UTC 
Detailed description of the issue:

A pair of design-level security vulnerabilities were discovered, verging on mere weaknesses in isolation, but when opportunistically combined, making for a local privilege escalation (which is easily extended to taking control over the whole cluster, which is a natural consequence of obtaining local root privileges solely by the means of what pacemaker unexpectedly allows one to breach on its own -- note that direct remote code execution to other kinds of remote exploitation were not discovered, but there was not too much effort put into this either, and some hypothetical attacks may be possible)

With "confused deputy" in the title, we refer to a problem of a computer program being too naive so that it can be tricked by the attacker to perform something malicious the same way legitimate processing is carried out.  This may be, and in pacemaker case is, enough to undermine the integrity of otherwise secured boundaries of the computing environment, and in turn elevate privileges of the attacker [1].  Plural is used since the naivity is knowingly exposed in two different places, as detailed below.

At this point, it's worth mentioning that local privilege escalation is just the most interesting proved attack scenario, since getting a control over a machine is more valuable than degrading overall cluster high availability on a single (attacker-local) node. 
[1] https://en.wikipedia.org/wiki/Confused_deputy_problem

Given this is mostly a design flaw, it is assumed that any pacemaker version integrated with libqb is affected, meaning the span would be:
- since Pacemaker-1.1.8 (~ September 2012)
- up to and including Pacemaker-2.0.0
Comment 7 Huzaifa S. Sidhpurwala 2019-04-17 05:48:00 UTC 
Statement:

This is essentially a design level security flaw which can be combined with other flaws to achieve local privilege escalation for clusters running pacemaker. The attacker needs to have access to the cluster node running pacemaker (AV:L). The attacker can use easily use the design flaw via the confused deputy problem to run the exploit (AC:L), also needs to have login access to the pacemaker node to run the exploit (PR:L). 

Due to the elevated privileges obtained, there is an impact to the system beyond the pacemaker node itself (S:C). Lastly due to the attacker's ability to run arbitrary code as root, confidentiality, integrity, and availability of the system is affected. (CIA:H)
Comment 8 Huzaifa S. Sidhpurwala 2019-04-17 05:57:34 UTC 
Created attachment 1555734 [details]
Cumulative patches to address CVE-2018-16877, CVE-2018-16878 and CVE-2019-3885
Comment 9 Huzaifa S. Sidhpurwala 2019-04-17 09:44:59 UTC 
Public via:
https://www.openwall.com/lists/oss-security/2019/04/17/1
Comment 10 Huzaifa S. Sidhpurwala 2019-04-17 09:51:30 UTC 
Created pacemaker tracking bugs for this issue:

Affects: fedora-all [bug 1700737]
Comment 11 Huzaifa S. Sidhpurwala 2019-04-18 04:47:35 UTC 
Upstream patch: https://github.com/ClusterLabs/pacemaker/pull/1749/commits/970736b1c7ad5c78cc5295a4231e546104d55893
Comment 20 Huzaifa S. Sidhpurwala 2019-05-04 07:56:46 UTC 
Created pacemaker tracking bugs for this issue:

Affects: openstack-rdo [bug 1706306]
Comment 22 errata-xmlrpc 2019-05-27 15:59:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1279 https://access.redhat.com/errata/RHSA-2019:1279
Comment 23 errata-xmlrpc 2019-05-27 16:00:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1278 https://access.redhat.com/errata/RHSA-2019:1278