Bug 1888191 (CVE-2020-25654) - CVE-2020-25654 pacemaker: ACL restrictions bypass
Summary: CVE-2020-25654 pacemaker: ACL restrictions bypass
Keywords:
Status: NEW
Alias: CVE-2020-25654
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1889582 1891528 1891529 1891719 1892140 1891718
Blocks: 1887376
TreeView+ depends on / blocked
 
Reported: 2020-10-14 10:49 UTC by Michael Kaplan
Modified: 2020-11-22 14:27 UTC (History)
19 users (show)

Fixed In Version: pacemaker 1.1.24-rc1, pacemaker 2.0.5-rc2
Doc Type: If docs needed, set a value
Doc Text:
An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
Fix for pacemaker CVE-2020-25654 (upstream master branch as of 2020-10-18) (19.00 KB, patch)
2020-10-19 20:20 UTC, Ken Gaillot
no flags Details | Diff
Fix for pacemaker CVE-2020-25654 (upstream 2.0.4 release) (18.72 KB, patch)
2020-10-19 20:21 UTC, Ken Gaillot
no flags Details | Diff
Fix for pacemaker CVE-2020-25654 (upstream 2.0.3 release) (18.75 KB, patch)
2020-10-19 20:22 UTC, Ken Gaillot
no flags Details | Diff
Fix for pacemaker CVE-2020-25654 (upstream 1.1.23 release) (24.56 KB, patch)
2020-10-19 20:22 UTC, Ken Gaillot
no flags Details | Diff

Description Michael Kaplan 2020-10-14 10:49:00 UTC
An acl bypass flaw was found in pacemaker. When ACLs are not in use, any user in the haclient group has full access to the configuration, which effectively gives them the ability to run any code as root. 

When ACLs are in use, users still must be in the haclient group, but their read and write access to various parts of the configuration is limited by configured ACLs.

The vulnerability is that users may use IPC communication with the various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.

Comment 7 Ken Gaillot 2020-10-19 20:20:57 UTC
Created attachment 1722698 [details]
Fix for pacemaker CVE-2020-25654 (upstream master branch as of 2020-10-18)

Comment 8 Ken Gaillot 2020-10-19 20:21:48 UTC
Created attachment 1722699 [details]
Fix for pacemaker CVE-2020-25654 (upstream 2.0.4 release)

Comment 9 Ken Gaillot 2020-10-19 20:22:14 UTC
Created attachment 1722700 [details]
Fix for pacemaker CVE-2020-25654 (upstream 2.0.3 release)

Comment 10 Ken Gaillot 2020-10-19 20:22:45 UTC
Created attachment 1722701 [details]
Fix for pacemaker CVE-2020-25654 (upstream 1.1.23 release)

Comment 11 Ken Gaillot 2020-10-19 20:25:04 UTC
Patches attached. Each patch is the same fix, but applicable to different points in the upstream code base (master branch as of this morning, the two most recent upstream releases 2.0.4 and 2.0.3, and the most recent release of the previous upstream major series 1.1.23).

Comment 21 Huzaifa S. Sidhpurwala 2020-10-27 07:51:27 UTC
Created pacemaker tracking bugs for this issue:

Affects: fedora-all [bug 1891718]
Affects: openstack-rdo [bug 1891719]

Comment 31 Huzaifa S. Sidhpurwala 2020-10-28 02:26:41 UTC
Acknowledgments:

Name: Ken Gaillot (Red Hat)

Comment 42 Hardik Vyas 2020-11-09 07:50:33 UTC
Statement:

Red Hat Gluster Storage 3 no longer maintains its own version of pacemaker, prerequisite is to enable Red Hat Enterprise Linux High Availability (for RHEL X Server)" repository. The fix will be consumed from RHEL High Availability repository.


Note You need to log in before you can comment on or make changes to this bug.