Bug 1369732 (CVE-2016-7035) - CVE-2016-7035 pacemaker: Privilege escalation due to improper guarding of IPC communication
Summary: CVE-2016-7035 pacemaker: Privilege escalation due to improper guarding of IPC...
Alias: CVE-2016-7035
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
: Embargoed1369467 Embargoed1379782 (view as bug list)
Depends On: Embargoed1369467 Engineering1374774 Engineering1374775 Engineering1374776 Engineering1374777 1391386
Blocks: Embargoed1369733 Embargoed1379785
TreeView+ depends on / blocked
Reported: 2016-08-24 09:21 UTC by Adam Mariš
Modified: 2021-02-17 03:25 UTC (History)
9 users (show)

Fixed In Version: pacemaker 1.1.16
Doc Type: If docs needed, set a value
Doc Text:
An authorization flaw was found in Pacemaker, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine.
Clone Of:
Last Closed: 2016-11-08 13:49:04 UTC

Attachments (Terms of Use)
Fix, latest version (3.14 KB, patch)
2016-11-03 08:57 UTC, Cedric Buissart
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2614 0 normal SHIPPED_LIVE Important: pacemaker security and bug fix update 2016-11-03 17:06:04 UTC
Red Hat Product Errata RHSA-2016:2675 0 normal SHIPPED_LIVE Important: pacemaker security update 2016-11-08 18:21:57 UTC

Description Adam Mariš 2016-08-24 09:21:25 UTC
It was found that pacemaker doesn't properly check privileges and allows to change privileges to root level for non-privileged user.

Vulnerable code (lib/common/ipc.c):

317     if(gid_cluster != 0 && gid_client != 0) {
318         uid_t best_uid = -1; /* Passing -1 to chown(2) means don't change */
320         if(uid_client == 0 || uid_server == 0) { /* Someone is priveliged, but the other may not be */
321             best_uid = QB_MAX(uid_client, uid_server);
322             crm_trace("Allowing user %u to clean up after disconnect", best_uid);
323         }
325         crm_trace("Giving access to group %u", gid_cluster);
326         qb_ipcs_connection_auth_set(c, best_uid, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^    ^^^^^^^^
327     }

Introduced with commit

Affected pacemaker versions
Pacemaker-1.1.10-rc2 (2013-05-03) up to the latest released version
Pacemaker-1.1.15 (2016-06-21).

This covers all pacemaker packages since at least RHEL 6.5 (up to what's
currently queued for RHEL 7.3).

Affected pacemaker daemons

- union of those running as root:
  . pacemakerd
  . stonithd
  . lrmd
 and those exposing IPC API:
  . lrmd
  . ...?

Upstream patch :

Upstream discussion :

Disclosure email :

Comment 1 Adam Mariš 2016-08-24 09:21:29 UTC

Name: Jan "poki" Pokorny (Red Hat), Alain Moulle (ATOS/BULL)

Comment 9 Ken Gaillot 2016-09-22 22:13:32 UTC
*** EmbargoedBug 1369467 has been marked as a duplicate of this bug. ***

Comment 12 Cedric Buissart 2016-10-24 16:00:28 UTC
*** EmbargoedBug 1379782 has been marked as a duplicate of this bug. ***

Comment 13 Cedric Buissart 2016-11-03 08:45:46 UTC
Created pacemaker tracking bugs for this issue:

Affects: fedora-all [bug 1391386]

Comment 14 Cedric Buissart 2016-11-03 08:57:40 UTC
Created attachment 1216896 [details]
Fix, latest version

Comment 15 errata-xmlrpc 2016-11-04 09:04:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2614 https://rhn.redhat.com/errata/RHSA-2016-2614.html

Comment 16 errata-xmlrpc 2016-11-08 13:23:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2675 https://rhn.redhat.com/errata/RHSA-2016-2675.html

Note You need to log in before you can comment on or make changes to this bug.