Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 9 Apr 2018 13:28:08 +0200
From: Cedric Buissart <cbuissar@...hat.com>
To: oss-security@...ts.openwall.com
Subject: pcs: disclosure of CVE-2018-1079 and CVE-2018-1086

Hi all,

This is to publicly disclose the following CVEs, rated as Medium and High.
Affected product is pcs (Pacemaker command line interface and GUI,
https://github.com/ClusterLabs/pcs)

* [high] CVE-2018-1079 pcs: Privilege escalation via authorized user
malicious REST call

It was found that the REST interface of the pcsd service did not properly
sanitize the file name from the /remote/put_file query. If the /etc/booth
directory exists, an authenticated attacker with write permissions could
create or overwrite arbitrary files with arbitrary data outside of the
/etc/booth directory, in the context of the pcsd process.

vulnerable since: support for booth file transfer was added (commit
dc7089b1, v. 0.9.157)

Patch attached

* [medium] CVE-2018-1086 pcs: Debug parameter removal bypass, allowing
information disclosure:

To prevent some information disclosure, pcsd actively removes '--debug'
from command requested over the REST interface, but this can be bypassed.
The information gained could then be used to gain higher privileges.

Patch attached

The CVE-2018-1079 issue was discovered by Ondrej Mular (Red Hat) and the
CVE-2018-1086 issue was discovered by Cedric Buissart (Red Hat).

-- 
Cedric Buissart,
Product Security

Content of type "text/html" skipped

View attachment "CVE-2018-1079.patch" of type "text/x-patch" (479 bytes)

View attachment "CVE-2018-1086.patch" of type "text/x-patch" (1744 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ