CloudForms Management Engine has a vulnerability that allows local users to execute arbitrary commands as root. An attacker with SSH access to the system can use the dRuby (DRb) module installed on the system to execute arbitrary shell commands using `instance_eval()`.
Mitigation: Administrators of the CloudForms appliance can filter local packages going to the port where MIQ Server is listening, by using the following iptables command: # iptables -I OUTPUT 1 -o lo -d localhost/32 -p tcp -m tcp --dport <MIQ Server port> -m owner '!' --uid-owner root -j DROP Where the MIQ Server port can be found using netstat command: # netstat -nl --tcp -p | grep -i "miq server"
Acknowledgments: Name: Stephen Gappinger (American Express)
This issue has been addressed in the following products: CloudForms Management Engine 5.9 Via RHSA-2018:2561 https://access.redhat.com/errata/RHSA-2018:2561
This issue has been addressed in the following products: CloudForms Management Engine 5.8 Via RHSA-2018:2745 https://access.redhat.com/errata/RHSA-2018:2745