CVE-2015-3983 in PCS
Summary
by MITRE
The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. NOTE: this issue was SPLIT from CVE-2015-1848 per ADT2 due to different vulnerability types.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/17/2022
The vulnerability identified as CVE-2015-3983 affects the pcs daemon component within the Pacemaker Cluster Suite version 0.9.137 and earlier releases. This daemon serves as a crucial communication interface for cluster management operations and handles authentication mechanisms through HTTP cookie-based sessions. The flaw manifests in the daemon's response headers where it fails to properly configure session cookies with the HTTPOnly flag, creating a significant security gap in the authentication infrastructure. This issue represents a classic session management weakness that directly impacts the confidentiality and integrity of user authentication tokens within cluster environments.
The technical implementation of this vulnerability stems from improper cookie configuration within the pcsd daemon's HTTP response handling. When the daemon establishes user sessions, it generates Set-Cookie headers that should include the HTTPOnly flag to prevent client-side script access to sensitive session information. Without this flag, JavaScript running in web browsers can access the cookie through document.cookie API calls, making it vulnerable to cross-site scripting attacks. This weakness allows attackers to harvest session tokens and potentially impersonate legitimate users within the cluster management interface. The vulnerability specifically aligns with CWE-1004 which addresses insecure cookie attributes and represents a failure to properly implement security controls in web application frameworks.
The operational impact of this vulnerability extends beyond simple information disclosure, as it creates a pathway for attackers to escalate privileges within cluster environments. Remote attackers can leverage this weakness to obtain session cookies that may contain administrative privileges or sensitive cluster configuration data. In cluster management scenarios, where the pcs daemon often handles critical infrastructure operations and access controls, compromised session tokens could lead to unauthorized modifications of cluster configurations, service management, or even complete system compromise. The vulnerability is particularly concerning in enterprise environments where cluster management interfaces are exposed to untrusted networks, as it provides attackers with a low-hanging fruit method for gaining elevated access to critical infrastructure components.
Organizations should implement immediate mitigations including upgrading to PCS versions that address this vulnerability, typically those beyond 0.9.137. The primary technical fix involves ensuring that all Set-Cookie headers generated by the pcs daemon include the HTTPOnly flag in their configuration. Security teams should also conduct comprehensive cookie audit procedures across all web applications and services, particularly those handling authentication tokens. Network segmentation strategies should be implemented to limit exposure of cluster management interfaces, and monitoring systems should be enhanced to detect unusual cookie access patterns. From an ATT&CK framework perspective, this vulnerability maps to T1566 (Phishing) and T1078 (Valid Accounts) where attackers can leverage the compromised session tokens to establish persistent access to cluster management systems. Additional defensive measures include implementing Content Security Policy headers, regular security scanning of web applications, and ensuring proper input validation for all cookie handling mechanisms to prevent exploitation through related vulnerabilities.