Bug 1379784 (CVE-2016-7797) - CVE-2016-7797 pacemaker: pacemaker remote nodes vulnerable to hijacking, resulting in a DoS attack
Summary: CVE-2016-7797 pacemaker: pacemaker remote nodes vulnerable to hijacking, resu...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-7797
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1312094 1389439 1389440
Blocks: 1379785
TreeView+ depends on / blocked
 
Reported: 2016-09-27 16:20 UTC by Adam Mariš
Modified: 2021-02-17 03:15 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that the connection between a pacemaker cluster and a pacemaker_remote node could be shut down using a new unauthenticated connection. A remote attacker could use this flaw to cause a denial of service.
Clone Of:
Environment:
Last Closed: 2016-11-04 08:19:40 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Cluster Labs 5269 0 None None None 2016-10-03 09:11:00 UTC
Red Hat Product Errata RHSA-2016:2578 0 normal SHIPPED_LIVE Moderate: pacemaker security, bug fix, and enhancement update 2016-11-03 12:07:24 UTC

Description Adam Mariš 2016-09-27 16:20:29 UTC
If a corosync node is connected to a pacemaker_remote node, the
connection can be trivially killed simply by connecting to the remote on its
standard TCP port (typically 3121):

2016-02-18T18:06:45.258661+00:00 d52-54-77-77-77-01 crmd[2637]:    error:
Unexpected pacemaker_remote client takeover. Disconnecting

Takeover is allowed in order to support migration of the remote primitive from
one corosync node to another, but since this is a trivial denial of service
attack, it should only be allowed once a valid authkey is provided.

=> Upstream bug :
 - Bug 5269 - DoS: valid authkey should be required for takeover of a Pacemaker remote
http://bugs.clusterlabs.org/show_bug.cgi?id=5269

=> Upstream fix :
 - Fix: remote: cl#5269 - Notify other clients of a new connection only if the handshake has completed (bsc#967388)
https://github.com/ClusterLabs/pacemaker/commit/5ec24a26

Resolved in upstream pacemaker 1.1.15

Comment 3 Cedric Buissart 2016-10-03 09:29:41 UTC
=> Fedora is not affected since fedora 23 and 24 are using pacemaker-1.1.15.

=> Resolved in RHEL6.8, pacemaker-1.1.14-8.el6, via the following bugzilla :
 - Bug 1312092 - crmd can crash after unexpected remote connection takeover
https://bugzilla.redhat.com/show_bug.cgi?id=1312092

Corresponding errata : https://rhn.redhat.com/errata/RHBA-2016-0856.html

=> Planned resolution in RHEL7 via the following bugzilla :
 - Bug 1312094 - crmd can crash after unexpected remote connection takeover
https://bugzilla.redhat.com/show_bug.cgi?id=1312094

Comment 5 Cedric Buissart 2016-10-27 09:09:22 UTC
Acknowledgments:

Name: Alain Moulle (ATOS/BULL)

Comment 6 errata-xmlrpc 2016-11-03 19:00:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2578 https://rhn.redhat.com/errata/RHSA-2016-2578.html


Note You need to log in before you can comment on or make changes to this bug.