Bug 1888191 (CVE-2020-25654) - CVE-2020-25654 pacemaker: ACL restrictions bypass
Summary: CVE-2020-25654 pacemaker: ACL restrictions bypass
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25654
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1889582 1891528 1891529 1891718 1891719 1892140
Blocks: 1887376
TreeView+ depends on / blocked
 
Reported: 2020-10-14 10:49 UTC by Michael Kaplan
Modified: 2021-02-10 14:38 UTC (History)
19 users (show)

Fixed In Version: pacemaker 1.1.24-rc1, pacemaker 2.0.5-rc2
Doc Type: If docs needed, set a value
Doc Text:
An ACL bypass flaw was found in Pacemaker. This flaw allows an attacker with a local account on the cluster and in the haclient group to use IPC communication with various daemons to directly perform certain tasks that would be prevented if they had gone through configured ACLs. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2020-12-15 12:47:04 UTC
Embargoed:

Attachments (Terms of Use)
Fix for pacemaker CVE-2020-25654 (upstream master branch as of 2020-10-18) (19.00 KB, patch)
2020-10-19 20:20 UTC, Ken Gaillot 		no flags Details | Diff
Fix for pacemaker CVE-2020-25654 (upstream 2.0.4 release) (18.72 KB, patch)
2020-10-19 20:21 UTC, Ken Gaillot 		no flags Details | Diff
Fix for pacemaker CVE-2020-25654 (upstream 2.0.3 release) (18.75 KB, patch)
2020-10-19 20:22 UTC, Ken Gaillot 		no flags Details | Diff
Fix for pacemaker CVE-2020-25654 (upstream 1.1.23 release) (24.56 KB, patch)
2020-10-19 20:22 UTC, Ken Gaillot 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5423 0 None None None 2020-12-15 08:43:13 UTC
Red Hat Product Errata RHSA-2020:5453 0 None None None 2020-12-15 11:19:22 UTC
Red Hat Product Errata RHSA-2020:5487 0 None None None 2020-12-15 17:03:17 UTC

Description Michael Kaplan 2020-10-14 10:49:00 UTC 
An acl bypass flaw was found in pacemaker. When ACLs are not in use, any user in the haclient group has full access to the configuration, which effectively gives them the ability to run any code as root. 

When ACLs are in use, users still must be in the haclient group, but their read and write access to various parts of the configuration is limited by configured ACLs.

The vulnerability is that users may use IPC communication with the various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.
Comment 7 Ken Gaillot 2020-10-19 20:20:57 UTC 
Created attachment 1722698 [details]
Fix for pacemaker CVE-2020-25654 (upstream master branch as of 2020-10-18)
Comment 8 Ken Gaillot 2020-10-19 20:21:48 UTC 
Created attachment 1722699 [details]
Fix for pacemaker CVE-2020-25654 (upstream 2.0.4 release)
Comment 9 Ken Gaillot 2020-10-19 20:22:14 UTC 
Created attachment 1722700 [details]
Fix for pacemaker CVE-2020-25654 (upstream 2.0.3 release)
Comment 10 Ken Gaillot 2020-10-19 20:22:45 UTC 
Created attachment 1722701 [details]
Fix for pacemaker CVE-2020-25654 (upstream 1.1.23 release)
Comment 11 Ken Gaillot 2020-10-19 20:25:04 UTC 
Patches attached. Each patch is the same fix, but applicable to different points in the upstream code base (master branch as of this morning, the two most recent upstream releases 2.0.4 and 2.0.3, and the most recent release of the previous upstream major series 1.1.23).
Comment 21 Huzaifa S. Sidhpurwala 2020-10-27 07:51:27 UTC 
Created pacemaker tracking bugs for this issue:

Affects: fedora-all [bug 1891718]
Affects: openstack-rdo [bug 1891719]
Comment 31 Huzaifa S. Sidhpurwala 2020-10-28 02:26:41 UTC 
Acknowledgments:

Name: Ken Gaillot (Red Hat)
Comment 38 Ken Gaillot 2020-10-30 17:41:58 UTC 
Upstream announcements:
* https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html
* https://lists.clusterlabs.org/pipermail/developers/2020-October/002324.html

Upstream releases that include the fix:
* https://github.com/ClusterLabs/pacemaker/releases/tag/Pacemaker-2.0.5-rc2
* https://github.com/ClusterLabs/pacemaker/releases/tag/Pacemaker-1.1.24-rc1
Comment 41 Huzaifa S. Sidhpurwala 2020-11-03 09:47:01 UTC 
External References:

https://seclists.org/oss-sec/2020/q4/83
https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html
Comment 44 errata-xmlrpc 2020-12-15 08:43:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2020:5423 https://access.redhat.com/errata/RHSA-2020:5423
Comment 45 errata-xmlrpc 2020-12-15 11:19:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5453 https://access.redhat.com/errata/RHSA-2020:5453
Comment 46 Product Security DevOps Team 2020-12-15 12:47:04 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25654
Comment 47 errata-xmlrpc 2020-12-15 17:03:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:5487 https://access.redhat.com/errata/RHSA-2020:5487
Comment 48 RaTasha Tillery-Smith 2021-02-10 14:38:55 UTC 
Statement:

Red Hat Gluster Storage 3 no longer maintains its own version of Pacemaker. The prerequisite is to enable Red Hat Enterprise Linux High Availability (for RHEL X Server)" repository. The fix will be consumed from RHEL High Availability repository.
Note You need to log in before you can comment on or make changes to this bug.