Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
An authorization flaw was found in Pacemaker, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine.
It was found that pacemaker doesn't properly check privileges and allows to change privileges to root level for non-privileged user.
Vulnerable code (lib/common/ipc.c):
317 if(gid_cluster != 0 && gid_client != 0) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
318 uid_t best_uid = -1; /* Passing -1 to chown(2) means don't change */
319
320 if(uid_client == 0 || uid_server == 0) { /* Someone is priveliged, but the other may not be */
^^^^^^^^^^^^^^^^
321 best_uid = QB_MAX(uid_client, uid_server);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
322 crm_trace("Allowing user %u to clean up after disconnect", best_uid);
323 }
324
325 crm_trace("Giving access to group %u", gid_cluster);
326 qb_ipcs_connection_auth_set(c, best_uid, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^
327 }
Introduced with commit
https://github.com/ClusterLabs/pacemaker/commit/5fe63f902b35bfed9cee117060a3ba7830d548f5
Affected pacemaker versions
===========================
Pacemaker-1.1.10-rc2 (2013-05-03) up to the latest released version
Pacemaker-1.1.15 (2016-06-21).
This covers all pacemaker packages since at least RHEL 6.5 (up to what's
currently queued for RHEL 7.3).
Affected pacemaker daemons
==========================
- union of those running as root:
. pacemakerd
. stonithd
. lrmd
and those exposing IPC API:
. lrmd
. ...?
References
==========
Upstream patch :
https://github.com/ClusterLabs/pacemaker/commit/5d71e65049
Upstream discussion :
http://clusterlabs.org/pipermail/users/2016-November/004432.html
Disclosure email :
http://www.openwall.com/lists/oss-security/2016/11/03/5
It was found that pacemaker doesn't properly check privileges and allows to change privileges to root level for non-privileged user. Vulnerable code (lib/common/ipc.c): 317 if(gid_cluster != 0 && gid_client != 0) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 318 uid_t best_uid = -1; /* Passing -1 to chown(2) means don't change */ 319 320 if(uid_client == 0 || uid_server == 0) { /* Someone is priveliged, but the other may not be */ ^^^^^^^^^^^^^^^^ 321 best_uid = QB_MAX(uid_client, uid_server); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 322 crm_trace("Allowing user %u to clean up after disconnect", best_uid); 323 } 324 325 crm_trace("Giving access to group %u", gid_cluster); 326 qb_ipcs_connection_auth_set(c, best_uid, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^ 327 } Introduced with commit https://github.com/ClusterLabs/pacemaker/commit/5fe63f902b35bfed9cee117060a3ba7830d548f5 Affected pacemaker versions =========================== Pacemaker-1.1.10-rc2 (2013-05-03) up to the latest released version Pacemaker-1.1.15 (2016-06-21). This covers all pacemaker packages since at least RHEL 6.5 (up to what's currently queued for RHEL 7.3). Affected pacemaker daemons ========================== - union of those running as root: . pacemakerd . stonithd . lrmd and those exposing IPC API: . lrmd . ...? References ========== Upstream patch : https://github.com/ClusterLabs/pacemaker/commit/5d71e65049 Upstream discussion : http://clusterlabs.org/pipermail/users/2016-November/004432.html Disclosure email : http://www.openwall.com/lists/oss-security/2016/11/03/5