CVE-2018-10905
CloudForms Management Engine has a vulnerability that allows local users to execute arbitrary commands as root. An attacker with SSH access to the system can use the dRuby (DRb) module installed on the system to execute arbitrary shell commands using `instance_eval()`.
Find out more about CVE-2018-10905 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 7.8 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| CloudForms Management Engine 5.8 (cfme) | RHSA-2018:2745 | 2018-09-26 |
| CloudForms Management Engine 5.9 (cfme) | RHSA-2018:2561 | 2018-09-04 |
Acknowledgements
Red Hat would like to thank Stephen Gappinger (American Express) for reporting this issue.Mitigation
Administrators of the CloudForms appliance can filter local packages going to the port where MIQ Server is listening, by using the following iptables command:
# iptables -I OUTPUT 1 -o lo -d localhost/32 -p tcp -m tcp --dport <MIQ Server port> -m owner '!' --uid-owner root -j DROP
Where the MIQ Server port can be found using netstat command:
# netstat -nl --tcp -p | grep -i "miq server"