An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges.
Maintainers, I can't find a patch applied to crmsh in Git, so please confirm
if a newer release fixes this issue. There's also a patch at URL which might
work if not.
I dropped the older versions, only 4.2.1 is left in tree !
hmm on a second read, it seems that "through" 4.2.1 means that it's also affected right?
There's no higher release yet.
# crm node status
No module named 'parallax'
in version 4.2.1. ?
Package list is empty or all packages have requested keywords.
Patches in 4.3.1:
These also reference CVE-2021-3020, which is only marked as reserved. The corresponding SUSE bug is also private.
An issue was discovered in ClusterLabs Hawk (aka HA Web Konsole) through 2.3.0-15. It ships the binary hawk_invoke (built from tools/hawk_invoke.c), intended to be used as a setuid program. This allows the hacluster user to invoke certain commands as root (with an attempt to limit this to safe combinations). This user is able to execute an interactive "shell" that isn't limited to the commands specified in hawk_invoke, allowing escalation to root.
I'm not sure how crmsh relates to this.
Sergey, since you reversed the mask, could you offer any commentary on this security bug? If these issues aren't solved, we may as well last rite this for its security problems.
(In reply to John Helmert III from comment #12)
> Sergey, since you reversed the mask, could you offer any commentary on this
> security bug? If these issues aren't solved, we may as well last rite this
> for its security problems.
Older versions of crmsh ships hardcoded values for autoconfigure root ssh keys and execute commands at root level. Newer versions can do this for supplied user, instead of root.
This is definitely fixed in 4.3.1
I am working on version bump(to 4.4.0), but it requires some time, because my test lab is not perfect in terms of speed :-/