Date: Fri, 30 Sep 2016 17:57:28 +0200 From: Cedric Buissart <cbuissar@...hat.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: CVE request: pacemaker DoS when pacemaker remote is in use Hi all, Last February was reported a vulnerability against pacemaker when pacemaker remote is in use, allowing a remote, unauthenticated, attacker to launch a DoS attack. I have not found a CVE request for it, so here is one : If a corosync node is connected to a pacemaker_remote node, the connection can be trivially killed simply by connecting to the remote on its standard TCP port (typically 3121): 2016-02-18T18:06:45.258661+00:00 d52-54-77-77-77-01 crmd: error: Unexpected pacemaker_remote client takeover. Disconnecting Takeover is allowed in order to support migration of the remote primitive from one corosync node to another, but since this is a trivial denial of service attack, it should only be allowed once a valid authkey is provided. The flaw has been fixed in Pacemaker-1.1.15 => Upstream bug : - Bug 5269 - DoS: valid authkey should be required for takeover of a Pacemaker remote http://bugs.clusterlabs.org/show_bug.cgi?id=5269 => Upstream fix : - Fix: remote: cl#5269 - Notify other clients of a new connection only if the handshake has completed (bsc#967388) https://github.com/ClusterLabs/pacemaker/commit/5ec24a26 Thanks! -- Cedric Buissart, Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ