Date: Mon, 9 Apr 2018 13:28:08 +0200 From: Cedric Buissart <cbuissar@...hat.com> To: oss-security@...ts.openwall.com Subject: pcs: disclosure of CVE-2018-1079 and CVE-2018-1086 Hi all, This is to publicly disclose the following CVEs, rated as Medium and High. Affected product is pcs (Pacemaker command line interface and GUI, https://github.com/ClusterLabs/pcs) * [high] CVE-2018-1079 pcs: Privilege escalation via authorized user malicious REST call It was found that the REST interface of the pcsd service did not properly sanitize the file name from the /remote/put_file query. If the /etc/booth directory exists, an authenticated attacker with write permissions could create or overwrite arbitrary files with arbitrary data outside of the /etc/booth directory, in the context of the pcsd process. vulnerable since: support for booth file transfer was added (commit dc7089b1, v. 0.9.157) Patch attached * [medium] CVE-2018-1086 pcs: Debug parameter removal bypass, allowing information disclosure: To prevent some information disclosure, pcsd actively removes '--debug' from command requested over the REST interface, but this can be bypassed. The information gained could then be used to gain higher privileges. Patch attached The CVE-2018-1079 issue was discovered by Ondrej Mular (Red Hat) and the CVE-2018-1086 issue was discovered by Cedric Buissart (Red Hat). -- Cedric Buissart, Product Security Content of type "text/html" skipped View attachment "CVE-2018-1079.patch" of type "text/x-patch" (479 bytes) View attachment "CVE-2018-1086.patch" of type "text/x-patch" (1744 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ