CVE-2020-25654
📋 TL;DR
This CVE describes an access control list (ACL) bypass vulnerability in Pacemaker cluster resource manager. Attackers with local accounts in the haclient group can bypass ACL restrictions by communicating directly with Pacemaker daemons via IPC, allowing unauthorized cluster operations. This affects Pacemaker clusters where local user accounts exist with haclient group membership.
💻 Affected Systems
- Pacemaker
📦 What is this software?
Pacemaker by Clusterlabs
Pacemaker by Clusterlabs
Pacemaker by Clusterlabs
⚠️ Risk & Real-World Impact
Worst Case
Complete cluster compromise allowing unauthorized resource manipulation, service disruption, or privilege escalation across cluster nodes.
Likely Case
Unauthorized cluster configuration changes, resource manipulation, or service disruption by malicious local users.
If Mitigated
Limited impact if proper access controls restrict haclient group membership and local user accounts are minimized.
🎯 Exploit Status
Exploitation requires local access and haclient group membership. The flaw is in IPC communication mechanism bypassing ACL checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Pacemaker 2.0.5 and later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1888191
Restart Required: Yes
Instructions:
1. Update Pacemaker to version 2.0.5 or later using your distribution's package manager. 2. Restart Pacemaker services and cluster daemons. 3. Verify the update was successful.
🔧 Temporary Workarounds
Restrict haclient group membership
linuxRemove all non-essential users from haclient group to limit attack surface
gpasswd -d username haclient
Implement strict local access controls
linuxLimit local user accounts on cluster nodes to only essential administrators
userdel username
passwd -l username
🧯 If You Can't Patch
- Remove all non-essential users from haclient group and implement strict access controls
- Monitor for unauthorized IPC communications and cluster configuration changes
🔍 How to Verify
Check if Vulnerable:
Check Pacemaker version: 'pcs --version' or 'pacemakerd --version'. If version is below 2.0.5, system is vulnerable.Check Version:
pcs --version 2>/dev/null || pacemakerd --version 2>/dev/null || rpm -q pacemaker || dpkg -l pacemakerVerify Fix Applied:
Verify Pacemaker version is 2.0.5 or higher and check that no unauthorized users are in haclient group: 'getent group haclient'📡 Detection & Monitoring
Log Indicators:
- Unauthorized IPC communication attempts in Pacemaker logs
- Unexpected cluster configuration changes
- Failed ACL checks in system logs
Network Indicators:
- Unusual inter-process communication patterns between Pacemaker daemons
SIEM Query:
source="pacemaker.log" AND ("access denied" OR "permission denied" OR "unauthorized")🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=1888191
- https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html
- https://lists.debian.org/debian-lts-announce/2021/01/msg00007.html
- https://seclists.org/oss-sec/2020/q4/83
- https://security.gentoo.org/glsa/202309-09
- https://bugzilla.redhat.com/show_bug.cgi?id=1888191
- https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html
- https://lists.debian.org/debian-lts-announce/2021/01/msg00007.html
- https://seclists.org/oss-sec/2020/q4/83
- https://security.gentoo.org/glsa/202309-09
