Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1369732 - (CVE-2016-7035) CVE-2016-7035 pacemaker: Privilege escalation due to improper guarding of IPC communication
CVE-2016-7035 pacemaker: Privilege escalation due to improper guarding of IPC...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20161103,repo...
: Security
: 1369467 1379782 (view as bug list)
Depends On: 1369467 1374774 1374775 1374776 1374777 1391386
Blocks: 1369733 1379785
  Show dependency treegraph
 
Reported: 2016-08-24 05:21 EDT by Adam Mariš
Modified: 2018-09-10 10:25 EDT (History)
9 users (show)

See Also:
Fixed In Version: pacemaker 1.1.16
Doc Type: If docs needed, set a value
Doc Text:
An authorization flaw was found in Pacemaker, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-08 08:49:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Fix, latest version (3.14 KB, patch)
2016-11-03 04:57 EDT, Cedric Buissart 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2614 normal SHIPPED_LIVE Important: pacemaker security and bug fix update 2016-11-03 13:06:04 EDT
Red Hat Product Errata RHSA-2016:2675 normal SHIPPED_LIVE Important: pacemaker security update 2016-11-08 13:21:57 EST

  None (edit)
Description Adam Mariš 2016-08-24 05:21:25 EDT 
It was found that pacemaker doesn't properly check privileges and allows to change privileges to root level for non-privileged user.

Vulnerable code (lib/common/ipc.c):

317     if(gid_cluster != 0 && gid_client != 0) {
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
318         uid_t best_uid = -1; /* Passing -1 to chown(2) means don't change */
319 
320         if(uid_client == 0 || uid_server == 0) { /* Someone is priveliged, but the other may not be */
                                 ^^^^^^^^^^^^^^^^ 
321             best_uid = QB_MAX(uid_client, uid_server);
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
322             crm_trace("Allowing user %u to clean up after disconnect", best_uid);
323         }
324 
325         crm_trace("Giving access to group %u", gid_cluster);
326         qb_ipcs_connection_auth_set(c, best_uid, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^    ^^^^^^^^
327     }

Introduced with commit
https://github.com/ClusterLabs/pacemaker/commit/5fe63f902b35bfed9cee117060a3ba7830d548f5


Affected pacemaker versions
===========================
Pacemaker-1.1.10-rc2 (2013-05-03) up to the latest released version
Pacemaker-1.1.15 (2016-06-21).

This covers all pacemaker packages since at least RHEL 6.5 (up to what's
currently queued for RHEL 7.3).


Affected pacemaker daemons
==========================

- union of those running as root:
  . pacemakerd
  . stonithd
  . lrmd
 and those exposing IPC API:
  . lrmd
  . ...?


References
==========
Upstream patch :
https://github.com/ClusterLabs/pacemaker/commit/5d71e65049

Upstream discussion :
http://clusterlabs.org/pipermail/users/2016-November/004432.html

Disclosure email :
http://www.openwall.com/lists/oss-security/2016/11/03/5
Comment 1 Adam Mariš 2016-08-24 05:21:29 EDT 
Acknowledgments:

Name: Jan "poki" Pokorny (Red Hat), Alain Moulle (ATOS/BULL)
Comment 9 Ken Gaillot 2016-09-22 18:13:32 EDT 
*** Bug 1369467 has been marked as a duplicate of this bug. ***
Comment 12 Cedric Buissart 2016-10-24 12:00:28 EDT 
*** Bug 1379782 has been marked as a duplicate of this bug. ***
Comment 13 Cedric Buissart 2016-11-03 04:45:46 EDT 
Created pacemaker tracking bugs for this issue:

Affects: fedora-all [bug 1391386]
Comment 14 Cedric Buissart 2016-11-03 04:57 EDT 
Created attachment 1216896 [details]
Fix, latest version
Comment 15 errata-xmlrpc 2016-11-04 05:04:02 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2614 https://rhn.redhat.com/errata/RHSA-2016-2614.html
Comment 16 errata-xmlrpc 2016-11-08 08:23:23 EST 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2675 https://rhn.redhat.com/errata/RHSA-2016-2675.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.