Potential Vulnerability in OpenStack High Availability Environments

When deploying OpenStack with High Availability, the Red Hat OpenStack Platform Installer deploys the pacemaker configuration UI (pcsd) on all nodes in an insecure fashion. This short article explains the vulnerability and how to address it.

When deploying OpenStack with High Availability, the Red Hat OpenStack Platform installer deploys the Pacemaker configuration UI (pcsd) on all nodes. In addition, the installer also creates a user account named hacluster through which you can access pcsd.

However, the installer also sets the hacluster password to CHANGEME.

If you do not change this password, an attacker with access to the management network could easily gain control of the hacluster user account. The hacluster account has elevated privileges, and could therefore be used to further compromise the environment.

Red Hat is currently working on a security solution to address this issue. In the meantime, if you have used the installer to deploy OpenStack with high availability, you should manually change the default password of the hacluster user on all nodes, and request new authentication tokens for pcsd.

To do so, you must perform the following steps on each node:

1. Log in as the root user.
2. Change the password of the hacluster user:

# passwd hacluster     

3. Clear all past authentication tokens issued for pcsd:

# rm -rf /var/lib/pcsd/tokens/* 

4. Request new pcsd authentication tokens using the new login details:

# pcs cluster auth

For more information about configuring Pacemaker, see High Availability Add-On Administration.

To check if this password has changed yet, simply attempt to log in as the hacluster user on each node with the default password of "CHANGEME":

# ssh hacluster@<NODE_IP>

If you require assistance in addressing this vulnerability, or if you believe your environment has been compromised, please contact Red Hat Support.

Was this helpful?

We appreciate your feedback. Leave a comment if you would like to provide more detail.
It looks like we have some work to do. Leave a comment to let us know how we could improve.