Bug 704039 (CVE-2011-1784) - CVE-2011-1784 keepalived: insecure permissions on pid files
Summary: CVE-2011-1784 keepalived: insecure permissions on pid files
Status: CLOSED ERRATA
Alias: CVE-2011-1784
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20110510,reported=20110510,sou...
Keywords: Security
Depends On: 704040 704041
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-11 22:45 UTC by Vincent Danen
Modified: 2019-06-08 18:49 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2012-12-20 17:54:54 UTC


Attachments (Terms of Use)

Description Vincent Danen 2011-05-11 22:45:53 UTC
It was reported [1] that keepalived wrote its PID files in /var/run as world-writable files.  This could allow an unprivileged user to change the referenced PID in the PID file, and upon a service restart or stop of keepalived, would kill the other process.

The keepalived daemonize code explicitly sets umask(0) which is the root cause of this flaw, so PID file creation should probably contain an explicit permissions settings.

For instance, as root:

# service keepalived status
keepalived (pid  9634) is running...
# cat /var/run/keepalived.pid 
9634
# ls -al /var/run/keepalived.pid 
-rw-rw-rw- 1 root root 5 May 10 15:13 /var/run/keepalived.pid

Then as an unprivileged user:

% echo $(ps ax|grep sshd|grep -v grep|cut -d ' ' -f 2) >/var/run/keepalived.pid 
% cat /var/run/keepalived.pid 
1638

Back to root:

# service keepalived status
keepalived (pid  1638) is running...
# service keepalived stop
Stopping keepalived:                                       [  OK  ]
# service sshd status
openssh-daemon is stopped
# ps ax|grep sshd|grep -v grep
# ps ax|grep keepalived|grep -v grep
 9634 ?        Ss     0:00 /usr/sbin/keepalived -D
 9636 ?        S      0:00 /usr/sbin/keepalived -D
 9637 ?        S      0:00 /usr/sbin/keepalived -D

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281

Comment 1 Vincent Danen 2011-05-11 22:47:09 UTC
Created keepalived tracking bugs for this issue

Affects: fedora-all [bug 704040]
Affects: epel-6 [bug 704041]

Comment 2 Vincent Danen 2011-05-17 23:43:50 UTC
This was assigned CVE-2011-1784.

Comment 3 Fedora Update System 2012-09-04 22:59:01 UTC
keepalived-1.2.3-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2012-09-04 23:00:23 UTC
keepalived-1.2.5-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.