Bug 1369732 (CVE-2016-7035) - CVE-2016-7035 pacemaker: Privilege escalation due to improper guarding of IPC communication
Summary: CVE-2016-7035 pacemaker: Privilege escalation due to improper guarding of IPC...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-7035
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1369467 1379782 (view as bug list)
Depends On: 1369467 1374774 1374775 1374776 1374777 1391386
Blocks: 1369733 1379785
TreeView+ depends on / blocked
 
Reported: 2016-08-24 09:21 UTC by Adam Mariš
Modified: 2019-09-29 13:55 UTC (History)
9 users (show)

Fixed In Version: pacemaker 1.1.16
Doc Type: If docs needed, set a value
Doc Text:
An authorization flaw was found in Pacemaker, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine.
Clone Of:
Environment:
Last Closed: 2016-11-08 13:49:04 UTC


Attachments (Terms of Use)
Fix, latest version (3.14 KB, patch)
2016-11-03 08:57 UTC, Cedric Buissart 🐶
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2614 normal SHIPPED_LIVE Important: pacemaker security and bug fix update 2016-11-03 17:06:04 UTC
Red Hat Product Errata RHSA-2016:2675 normal SHIPPED_LIVE Important: pacemaker security update 2016-11-08 18:21:57 UTC

Description Adam Mariš 2016-08-24 09:21:25 UTC
It was found that pacemaker doesn't properly check privileges and allows to change privileges to root level for non-privileged user.

Vulnerable code (lib/common/ipc.c):

317     if(gid_cluster != 0 && gid_client != 0) {
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
318         uid_t best_uid = -1; /* Passing -1 to chown(2) means don't change */
319 
320         if(uid_client == 0 || uid_server == 0) { /* Someone is priveliged, but the other may not be */
                                 ^^^^^^^^^^^^^^^^ 
321             best_uid = QB_MAX(uid_client, uid_server);
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
322             crm_trace("Allowing user %u to clean up after disconnect", best_uid);
323         }
324 
325         crm_trace("Giving access to group %u", gid_cluster);
326         qb_ipcs_connection_auth_set(c, best_uid, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^    ^^^^^^^^
327     }

Introduced with commit
https://github.com/ClusterLabs/pacemaker/commit/5fe63f902b35bfed9cee117060a3ba7830d548f5


Affected pacemaker versions
===========================
Pacemaker-1.1.10-rc2 (2013-05-03) up to the latest released version
Pacemaker-1.1.15 (2016-06-21).

This covers all pacemaker packages since at least RHEL 6.5 (up to what's
currently queued for RHEL 7.3).


Affected pacemaker daemons
==========================

- union of those running as root:
  . pacemakerd
  . stonithd
  . lrmd
 and those exposing IPC API:
  . lrmd
  . ...?


References
==========
Upstream patch :
https://github.com/ClusterLabs/pacemaker/commit/5d71e65049

Upstream discussion :
http://clusterlabs.org/pipermail/users/2016-November/004432.html

Disclosure email :
http://www.openwall.com/lists/oss-security/2016/11/03/5

Comment 1 Adam Mariš 2016-08-24 09:21:29 UTC
Acknowledgments:

Name: Jan "poki" Pokorny (Red Hat), Alain Moulle (ATOS/BULL)

Comment 9 Ken Gaillot 2016-09-22 22:13:32 UTC
*** Bug 1369467 has been marked as a duplicate of this bug. ***

Comment 12 Cedric Buissart 🐶 2016-10-24 16:00:28 UTC
*** Bug 1379782 has been marked as a duplicate of this bug. ***

Comment 13 Cedric Buissart 🐶 2016-11-03 08:45:46 UTC
Created pacemaker tracking bugs for this issue:

Affects: fedora-all [bug 1391386]

Comment 14 Cedric Buissart 🐶 2016-11-03 08:57:40 UTC
Created attachment 1216896 [details]
Fix, latest version

Comment 15 errata-xmlrpc 2016-11-04 09:04:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2614 https://rhn.redhat.com/errata/RHSA-2016-2614.html

Comment 16 errata-xmlrpc 2016-11-08 13:23:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2675 https://rhn.redhat.com/errata/RHSA-2016-2675.html


Note You need to log in before you can comment on or make changes to this bug.