CVE-2020-35458 – CVE-2020-35458 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2020-35458?

CVE-2020-35458 has a CVSS score of 9.8 (CRITICAL). CVE-2020-35458 is a critical remote code execution vulnerability in ClusterLabs Hawk web interface versions 2.x through 2.3.0-x. Unauthenticated attackers can inject shell commands via the hawk_remember_me_id parameter in login cookies, potentially gaining full control of affected systems. All Hawk deployments using vulnerable versions are affected.

📋 TL;DR

CVE-2020-35458 is a critical remote code execution vulnerability in ClusterLabs Hawk web interface versions 2.x through 2.3.0-x. Unauthenticated attackers can inject shell commands via the hawk_remember_me_id parameter in login cookies, potentially gaining full control of affected systems. All Hawk deployments using vulnerable versions are affected.

💻 Affected Systems

Products:

ClusterLabs Hawk

Versions: 2.x through 2.3.0-x

Operating Systems: Linux distributions running Hawk

Default Config Vulnerable: ⚠️ Yes

Notes: All default Hawk installations with web interface enabled are vulnerable. The vulnerability exists in the Ruby code handling login cookies.

📦 What is this software?

Hawk by Clusterlabs

View all CVEs affecting Hawk →

Hawk by Clusterlabs

View all CVEs affecting Hawk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining hauser privileges, allowing installation of persistent backdoors, data theft, and lateral movement within the cluster.

🟠

Likely Case

Remote code execution leading to service disruption, configuration manipulation, and potential privilege escalation to root via hauser's elevated permissions.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to Hawk interface.

🌐 Internet-Facing: HIGH - Hawk web interfaces exposed to internet are immediately vulnerable to unauthenticated RCE attacks.

🏢 Internal Only: HIGH - Even internally accessible interfaces are vulnerable to any network-accessible attacker.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details and proof-of-concept code are publicly available in security advisories. The vulnerability requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.0+ (specifically versions after 2.3.0-x)

Vendor Advisory: https://github.com/ClusterLabs/hawk/releases

Restart Required: Yes

Instructions:

1. Backup Hawk configuration. 2. Update to Hawk version 2.3.0+ from official repositories. 3. Restart Hawk service. 4. Verify the update with version check.

🔧 Temporary Workarounds

Network Access Restriction

linux

Block external access to Hawk web interface using firewall rules

iptables -A INPUT -p tcp --dport 7630 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 7630 -j DROP

Disable Hawk Web Interface

linux

Temporarily disable Hawk web interface if not required

systemctl stop hawk
systemctl disable hawk

🧯 If You Can't Patch

Implement strict network segmentation to isolate Hawk interface from untrusted networks
Deploy web application firewall (WAF) with command injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check Hawk version: hawk --version or check package version. If version is 2.x through 2.3.0-x, system is vulnerable.

Check Version:

hawk --version 2>/dev/null || rpm -q hawk || dpkg -l | grep hawk

Verify Fix Applied:

Verify version is 2.3.0+ and test login functionality works without errors.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /login endpoint with shell metacharacters
Failed login attempts with suspicious cookie values
hauser process spawning unexpected child processes

Network Indicators:

HTTP requests containing shell commands in hawk_remember_me_id parameter
Outbound connections from Hawk server to unknown IPs

SIEM Query:

source="hawk.log" AND ("hawk_remember_me_id" AND ("|" OR ";" OR "$" OR "`"))

📊 Metadata

CVE ID: CVE-2020-35458

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: January 12, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/01/12/3 Mailing List,Patch,Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1179998 Issue Tracking,Patch,Third Party Advisory
https://github.com/ClusterLabs/hawk/releases Release Notes,Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/01/12/3 Mailing List,Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/01/12/3 Mailing List,Patch,Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1179998 Issue Tracking,Patch,Third Party Advisory
https://github.com/ClusterLabs/hawk/releases Release Notes,Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/01/12/3 Mailing List,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35458, you might also want to check these: