Date: Thu, 3 Nov 2016 11:34:35 +0100 From: Jan Pokorný <jpokorny@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2016-7035 - pacemaker - improper IPC guarding Following issue is being publicly disclosed today: A vulnerability has been found in pacemaker, a software package for high-availability clustering. It was discovered that at some not so uncommon circumstances, some pacemaker daemons could be talked to, via libqb-facilitated IPC, by unprivileged clients due to flawed authorization decision. Depending on the capabilities of affected daemons, this might equip unauthorized user with local privilege escalation or up to cluster-wide remote execution of possibly arbitrary commands when such user happens to reside at standard or remote/guest cluster node, respectively. The original vulnerability was introduced in an attempt to allow unprivileged IPC clients to clean up the file system materialized leftovers in case the server (otherwise responsible for the lifecycle of these files) crashes. While the intended part of such behavior is now effectively voided (along with the unintended one), a best-effort fix to address this corner case systemically at libqb is coming along (https://github.com/ClusterLabs/libqb/pull/231). Affected versions: 1.1.10-rc1 (2013-04-17) - 1.1.15 (2016-06-21) Impact: Important CVSSv3 ranking: 8.8 : AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Credits for independent findings, in chronological order: Jan "poki" Pokorný, of Red Hat Alain Moulle, of ATOS/BULL Patch for the issue, which is applicable on all affected versions: https://github.com/ClusterLabs/pacemaker/pull/1166/commits/5a20855d6054ebaae590c09262b328d957cc1fc2 -- Jan (Poki) Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ