Bug 1652646 (CVE-2018-16877)
Summary: | CVE-2018-16877 pacemaker: Insufficient local IPC client-server authentication on the client's side can lead to local privesc | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | abeekhof, andrew, anprice, cfeist, cluster-maint, dbecker, huzaifas, jjoyce, jpokorny, jschluet, kbasil, kgaillot, lhh, lpeer, mburns, sclewis, security-response-team, sisharma, slinaber, ssaha, vbellur | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | pacemaker 2.0.2-rc1 | Doc Type: | If docs needed, set a value | ||||
Doc Text: |
A flaw was found in the way pacemaker's client-server authentication was implemented. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-06-10 10:43:12 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1694555, 1694556, 1694557, 1694558, 1700737, 1706306 | ||||||
Bug Blocks: | 1652647 | ||||||
Attachments: |
|
Description
Pedro Sampaio
2018-11-22 14:17:41 UTC
Acknowledgments: Name: Jan Pokorný (Red Hat) Detailed description of the issue: A pair of design-level security vulnerabilities were discovered, verging on mere weaknesses in isolation, but when opportunistically combined, making for a local privilege escalation (which is easily extended to taking control over the whole cluster, which is a natural consequence of obtaining local root privileges solely by the means of what pacemaker unexpectedly allows one to breach on its own -- note that direct remote code execution to other kinds of remote exploitation were not discovered, but there was not too much effort put into this either, and some hypothetical attacks may be possible) With "confused deputy" in the title, we refer to a problem of a computer program being too naive so that it can be tricked by the attacker to perform something malicious the same way legitimate processing is carried out. This may be, and in pacemaker case is, enough to undermine the integrity of otherwise secured boundaries of the computing environment, and in turn elevate privileges of the attacker [1]. Plural is used since the naivity is knowingly exposed in two different places, as detailed below. At this point, it's worth mentioning that local privilege escalation is just the most interesting proved attack scenario, since getting a control over a machine is more valuable than degrading overall cluster high availability on a single (attacker-local) node. [1] https://en.wikipedia.org/wiki/Confused_deputy_problem Given this is mostly a design flaw, it is assumed that any pacemaker version integrated with libqb is affected, meaning the span would be: - since Pacemaker-1.1.8 (~ September 2012) - up to and including Pacemaker-2.0.0 Statement: This is essentially a design level security flaw which can be combined with other flaws to achieve local privilege escalation for clusters running pacemaker. The attacker needs to have access to the cluster node running pacemaker (AV:L). The attacker can use easily use the design flaw via the confused deputy problem to run the exploit (AC:L), also needs to have login access to the pacemaker node to run the exploit (PR:L). Due to the elevated privileges obtained, there is an impact to the system beyond the pacemaker node itself (S:C). Lastly due to the attacker's ability to run arbitrary code as root, confidentiality, integrity, and availability of the system is affected. (CIA:H) Created attachment 1555734 [details] Cumulative patches to address CVE-2018-16877, CVE-2018-16878 and CVE-2019-3885 Created pacemaker tracking bugs for this issue: Affects: fedora-all [bug 1700737] Upstream patch: https://github.com/ClusterLabs/pacemaker/pull/1749/commits/970736b1c7ad5c78cc5295a4231e546104d55893 Created pacemaker tracking bugs for this issue: Affects: openstack-rdo [bug 1706306] This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1279 https://access.redhat.com/errata/RHSA-2019:1279 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1278 https://access.redhat.com/errata/RHSA-2019:1278 |