CVE-2018-19044 in keepalived
Summary
by MITRE
keepalived 2.0.8 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/05/2023
The vulnerability identified as CVE-2018-19044 affects keepalived version 2.0.8, a critical component in high availability networking systems that manages virtual router redundancy protocol vrrp and load balancing services. This flaw represents a path traversal and symlink manipulation issue that occurs during the execution of PrintData or PrintStats functions within the software's temporary file handling mechanism. The vulnerability specifically manifests when the application creates temporary files in the /tmp directory without proper validation of symbolic link paths, creating a dangerous condition where local attackers can manipulate the file system to overwrite critical system files.
The technical exploitation of this vulnerability relies on the kernel's fs.protected_symlinks setting being disabled or set to 0, which removes the protection mechanisms that normally prevent symlink attacks. When keepalived executes PrintData or PrintStats commands, it generates temporary files at predictable locations such as /tmp/keepalived.data or /tmp/keepalived.stats without verifying that these paths do not contain symbolic links. This allows a local attacker to create malicious symlinks that point to sensitive system files like /etc/passwd, enabling them to overwrite these critical files with arbitrary data. The vulnerability is categorized under CWE-353 as "Check for Weaknesses in File Name Handling" and represents a classic path traversal attack vector that bypasses normal file system access controls.
The operational impact of CVE-2018-19044 is significant within environments that rely on keepalived for network redundancy and failover management. Local attackers who can execute processes on systems running vulnerable keepalived versions gain the ability to modify critical system files, potentially leading to privilege escalation, service disruption, or complete system compromise. The vulnerability affects any system where keepalived is installed and running with default configurations, making it particularly dangerous in production environments where the software handles sensitive network infrastructure. Attackers can leverage this weakness to gain persistent access by modifying authentication files, creating backdoors, or disrupting network services that depend on keepalived's operation, with potential consequences ranging from denial of service to full system takeover.
Security mitigations for this vulnerability involve multiple layers of protection that align with the ATT&CK framework's defense-in-depth principles. The primary immediate fix requires updating keepalived to versions that properly validate symbolic link paths before creating temporary files, typically through patches that implement proper path validation and file descriptor management. System administrators should also configure the kernel parameter fs.protected_symlinks to 1, which enables the kernel's built-in protection against symlink-based attacks and prevents the exploitation of such weaknesses. Additional protective measures include implementing strict file system permissions for temporary directories, monitoring for suspicious symlink creation activities, and applying principle of least privilege controls to limit local user access to critical system files. Organizations should also consider implementing intrusion detection systems that can identify anomalous file modification patterns and conduct regular security audits to verify that no malicious symlinks have been established in the system's temporary directories.