CVE-2018-1079 in PCS
Summary
by MITRE
pcs before version 0.9.164 and 0.10 is vulnerable to a privilege escalation via authorized user malicious REST call. The REST interface of the pcsd service did not properly sanitize the file name from the /remote/put_file query. If the /etc/booth directory exists, an authenticated attacker with write permissions could create or overwrite arbitrary files with arbitrary data outside of the /etc/booth directory, in the context of the pcsd process.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/28/2023
The vulnerability identified as CVE-2018-1079 represents a critical privilege escalation flaw within the pcs (Pacemaker Configuration System) service that affects versions prior to 0.9.164 and 0.10. This vulnerability specifically targets the pcsd service which operates as a daemon responsible for managing Pacemaker clusters through a REST API interface. The flaw exists in how the service handles file operations through its remote put_file functionality, creating a path traversal condition that allows authenticated users to manipulate the filesystem beyond intended boundaries. The vulnerability is particularly concerning because it requires only authentication credentials and write permissions, making it exploitable by users who already have legitimate access to the system but not necessarily administrative privileges.
The technical implementation of this vulnerability stems from improper input validation within the REST interface of pcsd service. When processing requests to the /remote/put_file endpoint, the system fails to properly sanitize the filename parameter extracted from the query string. This lack of input sanitization creates a directory traversal condition where an attacker can manipulate the file path to write data to locations outside the intended /etc/booth directory. The vulnerability specifically exploits the fact that if the /etc/booth directory exists, attackers can leverage this to create or overwrite arbitrary files with arbitrary data in the context of the pcsd process, which typically runs with elevated privileges. This flaw maps directly to CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') and demonstrates how insufficient input validation can lead to privilege escalation.
The operational impact of this vulnerability is significant for organizations running Pacemaker cluster management systems, as it allows authenticated attackers to potentially compromise the integrity of the cluster configuration and underlying system. An attacker with write permissions to the pcsd service could overwrite critical system files, inject malicious code, or manipulate cluster configuration data that could lead to service disruption or further compromise. The vulnerability affects systems where pcsd is configured to run with elevated privileges, as the attack executes within the context of the pcsd process. This could potentially lead to complete system compromise if the attacker can manipulate files that are subsequently executed by the system or if they can overwrite configuration files that control cluster behavior. The attack requires minimal privileges to execute, making it particularly dangerous in environments where multiple users have access to the pcsd service.
Mitigation strategies for CVE-2018-1079 focus on both immediate patching and operational hardening measures. The most effective solution is to upgrade to pcs version 0.9.164 or later, which includes proper input sanitization for the file name parameter in the REST interface. Organizations should also implement network segmentation to limit access to the pcsd service and ensure that only authorized personnel have write permissions. Additional protective measures include monitoring for unusual file creation patterns in system directories, implementing strict access controls for the /etc/booth directory, and conducting regular security audits of the pcsd service configuration. From an ATT&CK perspective, this vulnerability maps to T1068 - Exploitation for Privilege Escalation and T1078 - Valid Accounts, as it leverages legitimate authentication to escalate privileges through improper input handling. Organizations should also consider implementing principle of least privilege for pcsd service accounts and regularly review access controls to prevent unauthorized write access to cluster configuration components.