Werk #9520: Fix privilege escalation

Component Cluster
Title Fix privilege escalation
Date Mar 27, 2023
Appliance Version 1.6.4
Level Trivial Change
Class Bug Fix
Compatibility Compatible - no manual interaction needed

When two nodes are joined to a cluster, a secret is generated on the primary node and transferred to the secondary. Prior to this Werk, the secondary node failed to restrict the permissions this secret so it was world-readable. In case the secondary node took over to serve the Monitoring Sites (e.g. fail-over) a site was then able to access this secret. With that secret one could get root-access on both cluster nodes.

This vulnerability was identified through a commissioned penetration test conducted by OPTIMAbit (Roman Mueller).

Mitigations: In case updateing is not possible, one can set the permissions explicitly:

chmod 600 /etc/cma/api.secret

If a leakage of that secret cannot be ruled out one should rotate the secret, in order to do so change the /etc/cma/api.secret on both nodes to a newly generated secret.

Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. We assigned CVE-2023-22294 to this vulnerability.

Changes: This Werk sets the appropriate permissions to the secret file. The secret will be rotated too.

To the list of all Werks