pcs: disclosure of CVE-2018-1079 and CVE-2018-1086

[Cedric Buissart <cbuissar () redhat com>]

Hi all,

This is to publicly disclose the following CVEs, rated as Medium and High.
Affected product is pcs (Pacemaker command line interface and GUI,
https://github.com/ClusterLabs/pcs)

* [high] CVE-2018-1079 pcs: Privilege escalation via authorized user
malicious REST call

It was found that the REST interface of the pcsd service did not properly
sanitize the file name from the /remote/put_file query. If the /etc/booth
directory exists, an authenticated attacker with write permissions could
create or overwrite arbitrary files with arbitrary data outside of the
/etc/booth directory, in the context of the pcsd process.

vulnerable since: support for booth file transfer was added (commit
dc7089b1, v. 0.9.157)

Patch attached

* [medium] CVE-2018-1086 pcs: Debug parameter removal bypass, allowing
information disclosure:

To prevent some information disclosure, pcsd actively removes '--debug'
from command requested over the REST interface, but this can be bypassed.
The information gained could then be used to gain higher privileges.

Patch attached

The CVE-2018-1079 issue was discovered by Ondrej Mular (Red Hat) and the
CVE-2018-1086 issue was discovered by Cedric Buissart (Red Hat).

-- 
Cedric Buissart,
Product Security

Attachment: CVE-2018-1079.patch
Description:

Attachment: CVE-2018-1086.patch
Description: