[ClusterLabs] [SECURITY] CVE-2016-7035 - pacemaker - improper IPC guarding

Jan Pokorný jpokorny at redhat.com
Thu Nov 3 12:03:20 CET 2016


Following issue is being publicly disclosed today; more information
regarding the release process will arrive later today and also this
is an opportunity to announce http://clusterlabs.org/wiki/Security
page that was intoduced to help keeping track of security issues
(any fellow project is welcome to use that as well, Andrew or Ken
can make and account on the wiki on your behalf).

It was discovered that at some not so uncommon circumstances, some
pacemaker daemons could be talked to, via libqb-facilitated IPC, by
unprivileged clients due to flawed authorization decision.  Depending
on the capabilities of affected daemons, this might equip unauthorized
user with local privilege escalation or up to cluster-wide remote
execution of possibly arbitrary commands when such user happens to
reside at standard or remote/guest cluster node, respectively.

The original vulnerability was introduced in an attempt to allow
unprivileged IPC clients to clean up the file system materialized
leftovers in case the server (otherwise responsible for the lifecycle
of these files) crashes.  While the intended part of such behavior is
now effectively voided (along with the unintended one), a best-effort
fix to address this corner case systemically at libqb is coming along
(https://github.com/ClusterLabs/libqb/pull/231).

Affected versions:  1.1.10-rc1 (2013-04-17) - 1.1.15 (2016-06-21)
Impact:             Important
CVSSv3 ranking:     8.8 : AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Credits for independent findings, in chronological order:
  Jan "poki" Pokorný, of Red Hat
  Alain Moulle, of ATOS/BULL


Patch for the issue, which is applicable on all affected versions:
https://github.com/ClusterLabs/pacemaker/pull/1166/commits/5a20855d6054ebaae590c09262b328d957cc1fc2

-- 
Jan (Poki)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://clusterlabs.org/pipermail/users/attachments/20161103/c2fb0a20/attachment.sig>


More information about the Users mailing list