Bug 704039 - (CVE-2011-1784) CVE-2011-1784 keepalived: insecure permissions on pid files
CVE-2011-1784 keepalived: insecure permissions on pid files
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20110510,reported=20110510,sou...
: Security
Depends On: 704040 704041
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-11 18:45 EDT by Vincent Danen
Modified: 2016-03-01 04:27 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 12:54:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-05-11 18:45:53 EDT
It was reported [1] that keepalived wrote its PID files in /var/run as world-writable files.  This could allow an unprivileged user to change the referenced PID in the PID file, and upon a service restart or stop of keepalived, would kill the other process.

The keepalived daemonize code explicitly sets umask(0) which is the root cause of this flaw, so PID file creation should probably contain an explicit permissions settings.

For instance, as root:

# service keepalived status
keepalived (pid  9634) is running...
# cat /var/run/keepalived.pid 
9634
# ls -al /var/run/keepalived.pid 
-rw-rw-rw- 1 root root 5 May 10 15:13 /var/run/keepalived.pid

Then as an unprivileged user:

% echo $(ps ax|grep sshd|grep -v grep|cut -d ' ' -f 2) >/var/run/keepalived.pid 
% cat /var/run/keepalived.pid 
1638

Back to root:

# service keepalived status
keepalived (pid  1638) is running...
# service keepalived stop
Stopping keepalived:                                       [  OK  ]
# service sshd status
openssh-daemon is stopped
# ps ax|grep sshd|grep -v grep
# ps ax|grep keepalived|grep -v grep
 9634 ?        Ss     0:00 /usr/sbin/keepalived -D
 9636 ?        S      0:00 /usr/sbin/keepalived -D
 9637 ?        S      0:00 /usr/sbin/keepalived -D

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281
Comment 1 Vincent Danen 2011-05-11 18:47:09 EDT
Created keepalived tracking bugs for this issue

Affects: fedora-all [bug 704040]
Affects: epel-6 [bug 704041]
Comment 2 Vincent Danen 2011-05-17 19:43:50 EDT
This was assigned CVE-2011-1784.
Comment 3 Fedora Update System 2012-09-04 18:59:01 EDT
keepalived-1.2.3-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2012-09-04 19:00:23 EDT
keepalived-1.2.5-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.