Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1369732 (CVE-2016-7035) - CVE-2016-7035 pacemaker: Privilege escalation due to improper guarding of IPC communication
Summary: CVE-2016-7035 pacemaker: Privilege escalation due to improper guarding of IPC...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-7035
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1374774 1374775 1374776 1374777 1391386
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-24 09:21 UTC by Adam Mariš
Modified: 2021-02-17 03:25 UTC (History)
9 users (show)

Fixed In Version: pacemaker 1.1.16
Doc Type: If docs needed, set a value
Doc Text:
An authorization flaw was found in Pacemaker, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine.
Clone Of:
Environment:
Last Closed: 2016-11-08 13:49:04 UTC
Embargoed:

Attachments (Terms of Use)
Fix, latest version (deleted)
2016-11-03 08:57 UTC, Cedric Buissart 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2614 0 normal SHIPPED_LIVE Important: pacemaker security and bug fix update 2016-11-03 17:06:04 UTC
Red Hat Product Errata RHSA-2016:2675 0 normal SHIPPED_LIVE Important: pacemaker security update 2016-11-08 18:21:57 UTC

Description Adam Mariš 2016-08-24 09:21:25 UTC 
It was found that pacemaker doesn't properly check privileges and allows to change privileges to root level for non-privileged user.

Vulnerable code (lib/common/ipc.c):

317     if(gid_cluster != 0 && gid_client != 0) {
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
318         uid_t best_uid = -1; /* Passing -1 to chown(2) means don't change */
319 
320         if(uid_client == 0 || uid_server == 0) { /* Someone is priveliged, but the other may not be */
                                 ^^^^^^^^^^^^^^^^ 
321             best_uid = QB_MAX(uid_client, uid_server);
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
322             crm_trace("Allowing user %u to clean up after disconnect", best_uid);
323         }
324 
325         crm_trace("Giving access to group %u", gid_cluster);
326         qb_ipcs_connection_auth_set(c, best_uid, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^    ^^^^^^^^
327     }

Introduced with commit
https://github.com/ClusterLabs/pacemaker/commit/5fe63f902b35bfed9cee117060a3ba7830d548f5


Affected pacemaker versions
===========================
Pacemaker-1.1.10-rc2 (2013-05-03) up to the latest released version
Pacemaker-1.1.15 (2016-06-21).

This covers all pacemaker packages since at least RHEL 6.5 (up to what's
currently queued for RHEL 7.3).


Affected pacemaker daemons
==========================

- union of those running as root:
  . pacemakerd
  . stonithd
  . lrmd
 and those exposing IPC API:
  . lrmd
  . ...?


References
==========
Upstream patch :
https://github.com/ClusterLabs/pacemaker/commit/5d71e65049

Upstream discussion :
http://clusterlabs.org/pipermail/users/2016-November/004432.html

Disclosure email :
http://www.openwall.com/lists/oss-security/2016/11/03/5
Comment 1 Adam Mariš 2016-08-24 09:21:29 UTC 
Acknowledgments:

Name: Jan "poki" Pokorny (Red Hat), Alain Moulle (ATOS/BULL)
Comment 9 Ken Gaillot 2016-09-22 22:13:32 UTC 
*** Bug 1369467 has been marked as a duplicate of this bug. ***
Comment 12 Cedric Buissart 2016-10-24 16:00:28 UTC 
*** Bug 1379782 has been marked as a duplicate of this bug. ***
Comment 13 Cedric Buissart 2016-11-03 08:45:46 UTC 
Created pacemaker tracking bugs for this issue:

Affects: fedora-all [bug 1391386]
Comment 14 Cedric Buissart 2016-11-03 08:57:40 UTC 
Created attachment 1216896 [details]
Fix, latest version
Comment 15 errata-xmlrpc 2016-11-04 09:04:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2614 https://rhn.redhat.com/errata/RHSA-2016-2614.html
Comment 16 errata-xmlrpc 2016-11-08 13:23:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2675 https://rhn.redhat.com/errata/RHSA-2016-2675.html
Note You need to log in before you can comment on or make changes to this bug.