CVE-2018-10905

Impact:
Important
Public Date:
2018-07-20
CWE:
CWE-284
Bugzilla:
1602190: CVE-2018-10905 cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root
CloudForms Management Engine has a vulnerability that allows local users to execute arbitrary commands as root. An attacker with SSH access to the system can use the dRuby (DRb) module installed on the system to execute arbitrary shell commands using `instance_eval()`.

Find out more about CVE-2018-10905 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 7.8
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
CloudForms Management Engine 5.8 (cfme) RHSA-2018:2745 2018-09-26
CloudForms Management Engine 5.9 (cfme) RHSA-2018:2561 2018-09-04

Acknowledgements

Red Hat would like to thank Stephen Gappinger (American Express) for reporting this issue.

Mitigation

Administrators of the CloudForms appliance can filter local packages going to the port where MIQ Server is listening, by using the following iptables command:
# iptables -I OUTPUT 1 -o lo -d localhost/32 -p tcp -m tcp --dport <MIQ Server port> -m owner '!' --uid-owner root -j DROP

Where the MIQ Server port can be found using netstat command:
# netstat -nl --tcp -p | grep -i "miq server"

Last Modified