Improper Authorization in clusterlabs/pcs
Mar 7th 2022
Pacemakers daemon pcsd allows authentication via PAMs
pam_authenticate. Unfortunately the authorization via
pam_acct_mgmt has been omitted. Therefore unprivileged expired accounts that have been denied access can still login.
Proof of Concept
You can expire an account with
chage -E0 <username>
Since disabling an account in PAM still allows to login via ssh-keys, it's common to set accounts to expire if you want to deny access. So accounts who technically don't have any privilege are still allowed to login here. This also counts for accounts with expired passwords. A fix is supplied in the report.
Thank you for reaching out and reporting this issue. I have contacted our internal security team to review it and assess its severity. I'll get back to you and confirm the vulnerability when I hear from them.
Hey, will do when github works again. Currently my repository throws 500 errors back and forth.
@admin I can't choose the repository since it is named differently (pcs-1) than the original project name.
Hello @ysf 👋
Are you trying to submit a fix?
@Yes - It's already in my branch pcs-1 and a PR in the clusterlabs/pcs repository. @maintainer will you assign a CVE through redhat to this issue?
Gna. I meant @admin of course.
@ysf I'm not in charge of the CVE process, but I forwarded your question to Red Hat Security team.
@maintainer - with regards to the CVE, we are happy to assign and publish a CVE on your behalf if you would like?
@ysf - with regards to the fix, it seems like a bug in our UI preventing you from selecting a differently named fork.
Can you please confirm the name of the branch, and I will deal with patch submission on my end on your behalf? 👍
@admin it's https://github.com/ysf/pcs-1/tree/fix_pam_authorization
It doesn't look like there is a diff yet?
@admin I just merged the fix by @ysf
Exactly, there is no diff because it already has been merged. You can see the reference to huntr.dev in the CHANGELOG.md
In any case, it doesn't actually matter, as we just request the patch to be able to share the diff URL with the maintainer in the comments section.
@maintainer - you can still proceed to
confirm fix and select @ysf as the fixer in the dropdown as a patch has still been submitted and recorded 👍
We will just need to address this minor bug :)
Would you like us to assign and publish a CVE for this report?
CVE-2022-1049 has been assigned for this issue.
I have added the CVE to the report 👍