CVE-2018-1088 glusterfs: Privilege escalation via gluster_shared_storage when snapshot scheduling is enabled

Updated -

Environment

Red Hat Gluster Storage 3
Red Hat Enterprise Virtualization

Issue

This flaw is based on a symlink (symbolic link) attack. Any glusterfs client with access to a gluster node, can mount gluster_shared_storage volume without authentication. This volume contains a file which is the target of a symlink from /etc/cron.d, and can be used to configure cron jobs for arbitrary users. After mounting gluster_shared_storage, the client can overwrite this file to schedule a cron job which would run as root. This would lead to privilege escalation on the gluster server.

The dangerous symlink is created when gluster snapshot scheduling is enabled. This requires a gluster administrator to run snap_scheduler.py init, using the script included in the glusterfs-server package. Note that if snapshot scheduling is later disabled, the symlink is not automatically removed so your system may remain vulnerable.

Case Scenario

Server-A, Server-B, Server-C    - glusterfs servers
Client-B                        - glusterfs client
  1. Gluster server admin creates gluster_shared_storage volume on all glusterfs server nodes (Server-A,Server-B,Server-C) for snapshot scheduling.
  2. Gluster server admin then executes snap_scheduler.py init on Server-A, resulting in creation of:
    • glusterfs_snap_cron_tasks file within gluster_shared_storage_volume
    • /etc/cron.d/glusterfs_snap_cron_tasks (symbolic link to the above file)
  3. gluster_shared_storage volume can be mounted without authentication by any gluster client (including Client-B)
  4. Client-B mounts this volume read/write, and creates arbitrary/malicious entries in glusterfs_snap_cron_tasks
  5. Cron jobs created in glusterfs_snap_cron_tasks are executed on Server-A, as the local root user

Impact

Red Hat Product Security has rated this issue Important. This flaw could be use to execute malicious cronjobs resulting in privilege escalation and arbitrary command execution on gluster server nodes.

Red Hat Enterprise Virtualization does not use the snap_scheduler.py script by default: snapshots configured through the web UI use a different mechanism that does not expose this vulnerability. However, if snap_scheduler.py has ever been used from the command line on a hypervisor, that host may be vulnerable. Administrators can determine if their systems are vulnerable by following the steps in "Detection" section below.

Resolution

Mitigations are described below. Patches for all affected components will be made available in future updates.

Detection

If snapshot scheduling has ever been enabled on your system, it may be vulnerable. You can test for this using the following steps (# represents the root shell prompt):

    # gluster volume get all cluster.enable-shared-storage
    Option                                Value
    -------                               -----
    cluster.enable-shared-storage         disable

If the output says disable (as above), you are safe. If the output says enable, also run the following command:

    # ls -l /etc/cron.d/glusterfs_snap_cron_tasks

If the output says ls: No such file or directory, you are safe. If the output shows a symbolic link to /var/run/gluster/shared_storage/..., your system is vulnerable and should be upgraded with the packages listed below.

Mitigation

  1. gluster server should be on LAN and not reachable from public networks.
  2. Use gluster auth.allow and auth.reject.
  3. Use TLS certificates between gluster server nodes and clients.

Caveat: This would only mitigate attacks from unauthorized malicious clients. gluster clients allowed by auth.allow or having signed TLS certificates for clients would still be able to trigger this attack.

Errata

This issue was resolved with the release of the following Security Errata.

Red Hat Gluster Storage 3

RHSA-2018:1136
RHSA-2018:1137

Root Cause

By architecture, gluster allows all clients to mount any volume, including the shared storage volume involved in this vulnerability. If at any point the gluster snapshot scheduler is enabled (by running snap_scheduler.py init) it will create a symlink in /etc/cron.d which is owned by root. Any user who is able to mount the gluster shared storage volume can then schedule cronjobs.

More information about this issue can be found on our CVE page: CVE-2018-1088