Bug 1652646 (CVE-2018-16877) - CVE-2018-16877 pacemaker: Insufficient local IPC client-server authentication on the client's side can lead to local privesc
Summary: CVE-2018-16877 pacemaker: Insufficient local IPC client-server authentication...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-16877
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190417:0430...
Depends On: 1694558 1706306 1694555 1694556 1694557 1700737
Blocks: 1652647
TreeView+ depends on / blocked
 
Reported: 2018-11-22 14:17 UTC by Pedro Sampaio
Modified: 2019-06-18 23:01 UTC (History)
21 users (show)

Fixed In Version: pacemaker 2.0.2-rc1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way pacemaker's client-server authentication was implemented. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:43:12 UTC


Attachments (Terms of Use)
Cumulative patches to address CVE-2018-16877, CVE-2018-16878 and CVE-2019-3885 (71.68 KB, application/gzip)
2019-04-17 05:57 UTC, Huzaifa S. Sidhpurwala
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1278 None None None 2019-05-27 16:00:07 UTC
Red Hat Product Errata RHSA-2019:1279 None None None 2019-05-27 15:59:48 UTC

Description Pedro Sampaio 2018-11-22 14:17:41 UTC
A flaw was found in pacemaker. Insufficient verification of client-side authentication combined with other IPC weaknesses leads to local privilege escalation.

Comment 2 Huzaifa S. Sidhpurwala 2018-12-03 10:59:11 UTC
Acknowledgments:

Name: Jan Pokorný (Red Hat)

Comment 5 Huzaifa S. Sidhpurwala 2019-04-01 06:13:24 UTC
Detailed description of the issue:

A pair of design-level security vulnerabilities were discovered, verging on mere weaknesses in isolation, but when opportunistically combined, making for a local privilege escalation (which is easily extended to taking control over the whole cluster, which is a natural consequence of obtaining local root privileges solely by the means of what pacemaker unexpectedly allows one to breach on its own -- note that direct remote code execution to other kinds of remote exploitation were not discovered, but there was not too much effort put into this either, and some hypothetical attacks may be possible)

With "confused deputy" in the title, we refer to a problem of a computer program being too naive so that it can be tricked by the attacker to perform something malicious the same way legitimate processing is carried out.  This may be, and in pacemaker case is, enough to undermine the integrity of otherwise secured boundaries of the computing environment, and in turn elevate privileges of the attacker [1].  Plural is used since the naivity is knowingly exposed in two different places, as detailed below.

At this point, it's worth mentioning that local privilege escalation is just the most interesting proved attack scenario, since getting a control over a machine is more valuable than degrading overall cluster high availability on a single (attacker-local) node. 
[1] https://en.wikipedia.org/wiki/Confused_deputy_problem

Given this is mostly a design flaw, it is assumed that any pacemaker version integrated with libqb is affected, meaning the span would be:
- since Pacemaker-1.1.8 (~ September 2012)
- up to and including Pacemaker-2.0.0

Comment 7 Huzaifa S. Sidhpurwala 2019-04-17 05:48:00 UTC
Statement:

This is essentially a design level security flaw which can be combined with other flaws to achieve local privilege escalation for clusters running pacemaker. The attacker needs to have access to the cluster node running pacemaker (AV:L). The attacker can use easily use the design flaw via the confused deputy problem to run the exploit (AC:L), also needs to have login access to the pacemaker node to run the exploit (PR:L). 

Due to the elevated privileges obtained, there is an impact to the system beyond the pacemaker node itself (S:C). Lastly due to the attacker's ability to run arbitrary code as root, confidentiality, integrity, and availability of the system is affected. (CIA:H)

Comment 8 Huzaifa S. Sidhpurwala 2019-04-17 05:57:34 UTC
Created attachment 1555734 [details]
Cumulative patches to address CVE-2018-16877, CVE-2018-16878 and CVE-2019-3885

Comment 9 Huzaifa S. Sidhpurwala 2019-04-17 09:44:59 UTC
Public via:
https://www.openwall.com/lists/oss-security/2019/04/17/1

Comment 10 Huzaifa S. Sidhpurwala 2019-04-17 09:51:30 UTC
Created pacemaker tracking bugs for this issue:

Affects: fedora-all [bug 1700737]

Comment 20 Huzaifa S. Sidhpurwala 2019-05-04 07:56:46 UTC
Created pacemaker tracking bugs for this issue:

Affects: openstack-rdo [bug 1706306]

Comment 22 errata-xmlrpc 2019-05-27 15:59:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1279 https://access.redhat.com/errata/RHSA-2019:1279

Comment 23 errata-xmlrpc 2019-05-27 16:00:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1278 https://access.redhat.com/errata/RHSA-2019:1278


Note You need to log in before you can comment on or make changes to this bug.