Re: [ClusterLabs] [SECURITY] CVE-2016-7035 - pacemaker - improper IPC guarding

2016-11-03 Thread Ken Gaillot
On 11/03/2016 06:03 AM, Jan Pokorný wrote:
> Following issue is being publicly disclosed today; more information
> regarding the release process will arrive later today and also this
> is an opportunity to announce http://clusterlabs.org/wiki/Security
> page that was intoduced to help keeping track of security issues
> (any fellow project is welcome to use that as well, Andrew or Ken
> can make and account on the wiki on your behalf).
> 
> It was discovered that at some not so uncommon circumstances, some
> pacemaker daemons could be talked to, via libqb-facilitated IPC, by
> unprivileged clients due to flawed authorization decision.  Depending
> on the capabilities of affected daemons, this might equip unauthorized
> user with local privilege escalation or up to cluster-wide remote
> execution of possibly arbitrary commands when such user happens to
> reside at standard or remote/guest cluster node, respectively.
> 
> The original vulnerability was introduced in an attempt to allow
> unprivileged IPC clients to clean up the file system materialized
> leftovers in case the server (otherwise responsible for the lifecycle
> of these files) crashes.  While the intended part of such behavior is
> now effectively voided (along with the unintended one), a best-effort
> fix to address this corner case systemically at libqb is coming along
> (https://github.com/ClusterLabs/libqb/pull/231).
> 
> Affected versions:  1.1.10-rc1 (2013-04-17) - 1.1.15 (2016-06-21)
> Impact: Important
> CVSSv3 ranking: 8.8 : AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
> 
> Credits for independent findings, in chronological order:
>   Jan "poki" Pokorný, of Red Hat
>   Alain Moulle, of ATOS/BULL
> 
> 
> Patch for the issue, which is applicable on all affected versions:
> https://github.com/ClusterLabs/pacemaker/pull/1166/commits/5a20855d6054ebaae590c09262b328d957cc1fc2

More details:

A fix has been applied to Pacemaker's upstream master branch. Also, we
are starting the release process for 1.1.16 today, so the fix is
included in the 1.1 branch as well. It is additionally attached in patch
format to this message.

Anyone who has built one of the affected Pacemaker versions from source
is strongly encouraged to apply the patch, or rebuild from a current
branch. Popular distributions are expected to have patched packages
available soon (some already released today).

>From edba45825a11513661840fbc8c4b81f607fed18b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= 
Date: Tue, 23 Aug 2016 18:09:49 +0200
Subject: [PATCH] High: libcrmcommon: fix CVE-2016-7035 (improper IPC guarding)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It was discovered that at some not so uncommon circumstances, some
pacemaker daemons could be talked to, via libqb-facilitated IPC, by
unprivileged clients due to flawed authorization decision.  Depending
on the capabilities of affected daemons, this might equip unauthorized
user with local privilege escalation or up to cluster-wide remote
execution of possibly arbitrary commands when such user happens to
reside at standard or remote/guest cluster node, respectively.

The original vulnerability was introduced in an attempt to allow
unprivileged IPC clients to clean up the file system materialized
leftovers in case the server (otherwise responsible for the lifecycle
of these files) crashes.  While the intended part of such behavior is
now effectively voided (along with the unintended one), a best-effort
fix to address this corner case systemically at libqb is coming along.

Affected versions:  1.1.10-rc1 (2013-04-17) - 1.1.15 (2016-06-21)
Impact: Important
CVSSv3 ranking: 8.8 : AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Credits for independent findings, in chronological order:
  Jan "poki" Pokorný, of Red Hat
  Alain Moulle, of ATOS/BULL
---
 lib/common/ipc.c | 14 +++---
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/lib/common/ipc.c b/lib/common/ipc.c
index 6d6d3cd..9f63dfe 100644
--- a/lib/common/ipc.c
+++ b/lib/common/ipc.c
@@ -293,7 +293,6 @@ crm_client_disconnect_all(qb_ipcs_service_t *service)
 crm_client_t *
 crm_client_new(qb_ipcs_connection_t * c, uid_t uid_client, gid_t gid_client)
 {
-static uid_t uid_server = 0;
 static gid_t gid_cluster = 0;
 
 crm_client_t *client = NULL;
@@ -304,7 +303,6 @@ crm_client_new(qb_ipcs_connection_t * c, uid_t uid_client, gid_t gid_client)
 }
 
 if (gid_cluster == 0) {
-uid_server = getuid();
 if(crm_user_lookup(CRM_DAEMON_USER, NULL, &gid_cluster) < 0) {
 static bool have_error = FALSE;
 if(have_error == FALSE) {
@@ -314,16 +312,10 @@ crm_client_new(qb_ipcs_connection_t * c, uid_t uid_client, gid_t gid_client)
 }
 }
 
-if(gid_cluster != 0 && gid_client != 0) {
-uid_t best_uid = -1; /* Passing -1 to chown(2) means don't change */
-
-if(uid_client == 0 || uid_server == 0) { /* Someone is priv

[ClusterLabs] [SECURITY] CVE-2016-7035 - pacemaker - improper IPC guarding

2016-11-03 Thread Jan Pokorný
Following issue is being publicly disclosed today; more information
regarding the release process will arrive later today and also this
is an opportunity to announce http://clusterlabs.org/wiki/Security
page that was intoduced to help keeping track of security issues
(any fellow project is welcome to use that as well, Andrew or Ken
can make and account on the wiki on your behalf).

It was discovered that at some not so uncommon circumstances, some
pacemaker daemons could be talked to, via libqb-facilitated IPC, by
unprivileged clients due to flawed authorization decision.  Depending
on the capabilities of affected daemons, this might equip unauthorized
user with local privilege escalation or up to cluster-wide remote
execution of possibly arbitrary commands when such user happens to
reside at standard or remote/guest cluster node, respectively.

The original vulnerability was introduced in an attempt to allow
unprivileged IPC clients to clean up the file system materialized
leftovers in case the server (otherwise responsible for the lifecycle
of these files) crashes.  While the intended part of such behavior is
now effectively voided (along with the unintended one), a best-effort
fix to address this corner case systemically at libqb is coming along
(https://github.com/ClusterLabs/libqb/pull/231).

Affected versions:  1.1.10-rc1 (2013-04-17) - 1.1.15 (2016-06-21)
Impact: Important
CVSSv3 ranking: 8.8 : AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Credits for independent findings, in chronological order:
  Jan "poki" Pokorný, of Red Hat
  Alain Moulle, of ATOS/BULL


Patch for the issue, which is applicable on all affected versions:
https://github.com/ClusterLabs/pacemaker/pull/1166/commits/5a20855d6054ebaae590c09262b328d957cc1fc2

-- 
Jan (Poki)


pgp0eiROYk84o.pgp
Description: PGP signature
___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org