Bug 704039 (CVE-2011-1784)

Summary: CVE-2011-1784 keepalived: insecure permissions on pid files
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jrusnack, matthias, rohara
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 17:54:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 704040, 704041    
Bug Blocks:    

Description Vincent Danen 2011-05-11 22:45:53 UTC 
It was reported [1] that keepalived wrote its PID files in /var/run as world-writable files.  This could allow an unprivileged user to change the referenced PID in the PID file, and upon a service restart or stop of keepalived, would kill the other process.

The keepalived daemonize code explicitly sets umask(0) which is the root cause of this flaw, so PID file creation should probably contain an explicit permissions settings.

For instance, as root:

# service keepalived status
keepalived (pid  9634) is running...
# cat /var/run/keepalived.pid 
9634
# ls -al /var/run/keepalived.pid 
-rw-rw-rw- 1 root root 5 May 10 15:13 /var/run/keepalived.pid

Then as an unprivileged user:

% echo $(ps ax|grep sshd|grep -v grep|cut -d ' ' -f 2) >/var/run/keepalived.pid 
% cat /var/run/keepalived.pid 
1638

Back to root:

# service keepalived status
keepalived (pid  1638) is running...
# service keepalived stop
Stopping keepalived:                                       [  OK  ]
# service sshd status
openssh-daemon is stopped
# ps ax|grep sshd|grep -v grep
# ps ax|grep keepalived|grep -v grep
 9634 ?        Ss     0:00 /usr/sbin/keepalived -D
 9636 ?        S      0:00 /usr/sbin/keepalived -D
 9637 ?        S      0:00 /usr/sbin/keepalived -D

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281
Comment 1 Vincent Danen 2011-05-11 22:47:09 UTC 
Created keepalived tracking bugs for this issue

Affects: fedora-all [bug 704040]
Affects: epel-6 [bug 704041]
Comment 2 Vincent Danen 2011-05-17 23:43:50 UTC 
This was assigned CVE-2011-1784.
Comment 3 Fedora Update System 2012-09-04 22:59:01 UTC 
keepalived-1.2.3-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2012-09-04 23:00:23 UTC 
keepalived-1.2.5-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.