Werk #9520: Fix privilege escalation
| Component | Cluster |
| Title | Fix privilege escalation |
| Date | Mar 27, 2023 |
| Level | Trivial Change |
| Class | Bug Fix |
| Compatibility | Compatible - no manual interaction needed |
| Appliance Version | 1.6.4 |
When two nodes are joined to a cluster, a secret is generated on the primary node and transferred to the secondary. Prior to this Werk, the secondary node failed to restrict the permissions this secret so it was world-readable. In case the secondary node took over to serve the Monitoring Sites (e.g. fail-over) a site was then able to access this secret. With that secret one could get root-access on both cluster nodes.
This vulnerability was identified through a commissioned penetration test conducted by OPTIMAbit (Roman Mueller).
Mitigations: In case updateing is not possible, one can set the permissions explicitly:
chmod 600 /etc/cma/api.secret
If a leakage of that secret cannot be ruled out one should rotate the secret, in order to do so change the /etc/cma/api.secret on both nodes to a newly generated secret.
Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. We assigned CVE-2023-22294 to this vulnerability.
Changes: This Werk sets the appropriate permissions to the secret file. The secret will be rotated too.