oss-sec mailing list archives
Re: CVE request: pacemaker DoS when pacemaker remote is in use
From: cve-assign () mitre org
Date: Fri, 30 Sep 2016 21:46:35 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Last February was reported a vulnerability against pacemaker when pacemaker remote is in use, allowing a remote, unauthenticated, attacker to launch a DoS attack. If a corosync node is connected to a pacemaker_remote node, the connection can be trivially killed simply by connecting to the remote on its standard TCP port (typically 3121): 2016-02-18T18:06:45.258661+00:00 d52-54-77-77-77-01 crmd[2637]: error: Unexpected pacemaker_remote client takeover. Disconnecting Takeover is allowed in order to support migration of the remote primitive from one corosync node to another, but since this is a trivial denial of service attack, it should only be allowed once a valid authkey is provided. The flaw has been fixed in Pacemaker-1.1.15 Bug 5269 - DoS: valid authkey should be required for takeover of a Pacemaker remote http://bugs.clusterlabs.org/show_bug.cgi?id=5269 Fix: remote: cl#5269 - Notify other clients of a new connection only if the handshake has completed (bsc#967388) https://github.com/ClusterLabs/pacemaker/commit/5ec24a2642bd0854b884d1a9b51d12371373b410lrmd/tls_backend.c
Use CVE-2016-7797. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJX7xUaAAoJEHb/MwWLVhi28DcP/jUPa6znvw/gipgp+uU2k22l /jbc1F3ISC0VjsA6pZFYPKH/693gTNWjxstCYDB6OEAOx5oDl4Es3FqYBbCjwLb1 t8Vl4obIttPV8Kc6v7p6yvr4p+ghXbCiVfljpQJCSA0cESzRa5cyN0H8zOIzZnvs vF2z7cohAciS8Q79lOSkXGZDnWPIIL1yvLMzabLQDsO0nVpCJriH395ui5u+OozS +F4UuKNpYR4QRrW4uM3Y3Mxk5obspGJMtXgsi6hWKFcK9WGfwbO3nqv9LMnp+aJ1 +2VkNTt3JfXYnswZ7Lbgh1fnaRvJJ9Xgp5p7bzVAA1s9bIae9T9mF/z7D5woVipd MCq5qtIV7rPzZqZnpuOWEbGCUTB8sUr8QTWXAZmFpy9JOPslFTu4GHAIZvga5xTl iBN1/MATIkacDed6fGVjDxWDef7y4si/om62DCeTKhwr51BOej0oCM+meam9ladT 0GQRTVYhfctLVa6R4j4dh7DH77Z+3cd5d5CN5NT6Rv58CUhVqUgoCtdhd98j77ia Tvq2PMjd8YZvWVX2hENdBdbNhkkhs7vSf6W2Mf+U7tKnnjUQqug+7nXm5O+0QQRy S0+5pZyTDA+Nud+x9Zp62Ezc05BjbiTOOl2wLgn8uERUlTmfCR7rjxdJuG9uXZNa UZxQ9GHnN9+B5qd/UJOx =7VcV -----END PGP SIGNATURE-----
Current thread:
- CVE request: pacemaker DoS when pacemaker remote is in use Cedric Buissart (Sep 30)
- Re: CVE request: pacemaker DoS when pacemaker remote is in use cve-assign (Sep 30)