Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1558721 - (CVE-2018-1088) CVE-2018-1088 glusterfs: Privilege escalation via gluster_shared_storage when snapshot scheduling is enabled
CVE-2018-1088 glusterfs: Privilege escalation via gluster_shared_storage when...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20180418,repo...
: Security
Depends On: 1559331 1564971 1564972 1568832 1568973 1570428 1570430 1570432
Blocks: 1558724
  Show dependency treegraph
 
Reported: 2018-03-20 17:30 EDT by Pedro Sampaio
Modified: 2018-05-15 23:22 EDT (History)
32 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A privilege escalation flaw was found in gluster snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-05-03 19:46:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1136 None None None 2018-04-18 08:06 EDT
Red Hat Product Errata RHSA-2018:1137 None None None 2018-04-18 08:04 EDT
Red Hat Product Errata RHSA-2018:1275 None None None 2018-05-02 09:15 EDT
Red Hat Product Errata RHSA-2018:1524 None None None 2018-05-15 13:39 EDT

  None (edit)
Description Pedro Sampaio 2018-03-20 17:30:53 EDT
As reported:

When certain options are enabled in Gluster, it creates a volume called
gluster_shared_storage. This volume is mounted on each server in the cluster
and used to share state. The volume is not intended to be mounted by storage
clients as it does not contain any data that is intended to be user accessi=
ble.
 
When snapshot scheduling is enabled in Gluster, this gluster_shared_storage
volume is used to coordinate the snapshots. Part of that is sharing the cron
job that is used to trigger scheduled snaps. The crontab file exposed in the
shared volume is symlinked into each server's /etc/cron.d directory.
 
By default, the shared_storage volume can be mounted by any client that has
access to the cluster to mount data volumes. Further, since Gluster relies =
on
client-reported uids, the shared_storage volume can be written from any of
these clients, permitting cron entries to be added to the system crontab
directory such that they will be executed by each server as root (or any ot=
her
uid).
Comment 8 Pedro Sampaio 2018-03-22 07:31:36 EDT
Acknowledgments:

Name: John Strunk (Red Hat)
Comment 27 Doran Moppert 2018-04-18 02:52:26 EDT
Mitigation:

To limit exposure of gluster server nodes :  

1. gluster server should be on LAN and not reachable from public networks.  
2. Use gluster auth.allow and auth.reject.  
3. Use TLS certificates between gluster server nodes and clients.  

Caveat: This would only mitigate attacks from unauthorized malicious clients. gluster clients allowed by auth.allow or having signed TLS client certificates would still be able to trigger this attack.
Comment 28 Siddharth Sharma 2018-04-18 06:02:35 EDT
Created glusterfs tracking bugs for this issue:

Affects: fedora-all [bug 1568832]
Comment 29 errata-xmlrpc 2018-04-18 08:04:25 EDT
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.3 for RHEL 6
  Native Client for RHEL 6 for Red Hat Storage

Via RHSA-2018:1137 https://access.redhat.com/errata/RHSA-2018:1137
Comment 30 errata-xmlrpc 2018-04-18 08:06:19 EDT
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.3 for RHEL 7
  Native Client for RHEL 7 for Red Hat Storage

Via RHSA-2018:1136 https://access.redhat.com/errata/RHSA-2018:1136
Comment 31 Siddharth Sharma 2018-04-19 06:22:56 EDT
External References:

https://access.redhat.com/articles/3414511
Comment 32 Siddharth Sharma 2018-04-19 13:28:50 EDT
upstream fixes:

https://review.gluster.org/#/c/19899/
https://review.gluster.org/#/c/19898/
Comment 33 Siddharth Sharma 2018-04-27 06:09:24 EDT
Statement:

This vulnerability affects gluster servers that have, or have previously had, Gluster volume snapshot scheduling enabled from the CLI. Red Hat Enterprise Virtualization supports volume snapshot scheduling from the Web UI, which uses a distinct mechanism that is not subject to this vulnerability. VM snapshots are not impacted by this flaw. For more information, please see the Vulnerability Article linked under External References.

This issue did not affect the versions of glusterfs as shipped with Red Hat Enterprise Linux 6, and 7 because only gluster client is shipped in these products. CVE-2018-1088 affects glusterfs-server package as shipped with Red Hat Gluster Storage 3.
Comment 34 errata-xmlrpc 2018-05-02 09:14:55 EDT
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for RHEL-7

Via RHSA-2018:1275 https://access.redhat.com/errata/RHSA-2018:1275
Comment 35 errata-xmlrpc 2018-05-15 13:38:54 EDT
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for RHEL-7

Via RHSA-2018:1524 https://access.redhat.com/errata/RHSA-2018:1524

Note You need to log in before you can comment on or make changes to this bug.