A flaw was found in pacemaker. Insufficient verification of client-side authentication combined with other IPC weaknesses leads to local privilege escalation.
Acknowledgments: Name: Jan Pokorný (Red Hat)
Detailed description of the issue: A pair of design-level security vulnerabilities were discovered, verging on mere weaknesses in isolation, but when opportunistically combined, making for a local privilege escalation (which is easily extended to taking control over the whole cluster, which is a natural consequence of obtaining local root privileges solely by the means of what pacemaker unexpectedly allows one to breach on its own -- note that direct remote code execution to other kinds of remote exploitation were not discovered, but there was not too much effort put into this either, and some hypothetical attacks may be possible) With "confused deputy" in the title, we refer to a problem of a computer program being too naive so that it can be tricked by the attacker to perform something malicious the same way legitimate processing is carried out. This may be, and in pacemaker case is, enough to undermine the integrity of otherwise secured boundaries of the computing environment, and in turn elevate privileges of the attacker [1]. Plural is used since the naivity is knowingly exposed in two different places, as detailed below. At this point, it's worth mentioning that local privilege escalation is just the most interesting proved attack scenario, since getting a control over a machine is more valuable than degrading overall cluster high availability on a single (attacker-local) node. [1] https://en.wikipedia.org/wiki/Confused_deputy_problem Given this is mostly a design flaw, it is assumed that any pacemaker version integrated with libqb is affected, meaning the span would be: - since Pacemaker-1.1.8 (~ September 2012) - up to and including Pacemaker-2.0.0
Statement: This is essentially a design level security flaw which can be combined with other flaws to achieve local privilege escalation for clusters running pacemaker. The attacker needs to have access to the cluster node running pacemaker (AV:L). The attacker can use easily use the design flaw via the confused deputy problem to run the exploit (AC:L), also needs to have login access to the pacemaker node to run the exploit (PR:L). Due to the elevated privileges obtained, there is an impact to the system beyond the pacemaker node itself (S:C). Lastly due to the attacker's ability to run arbitrary code as root, confidentiality, integrity, and availability of the system is affected. (CIA:H)
Created attachment 1555734 [details] Cumulative patches to address CVE-2018-16877, CVE-2018-16878 and CVE-2019-3885
Public via: https://www.openwall.com/lists/oss-security/2019/04/17/1
Created pacemaker tracking bugs for this issue: Affects: fedora-all [bug 1700737]
Upstream patch: https://github.com/ClusterLabs/pacemaker/pull/1749/commits/970736b1c7ad5c78cc5295a4231e546104d55893
Created pacemaker tracking bugs for this issue: Affects: openstack-rdo [bug 1706306]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1279 https://access.redhat.com/errata/RHSA-2019:1279
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1278 https://access.redhat.com/errata/RHSA-2019:1278