Bug 4084 - keepalived new security issue CVE-2011-1784 and modprobe bug
: keepalived new security issue CVE-2011-1784 and modprobe bug
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/506209/
: MGA1TOO has_procedure MGA1-64-OK MGA1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-01-09 21:56 CET by Glen Ogilvie
Modified: 2012-08-02 20:22 CEST (History)
8 users (show)

See Also:
Source RPM: keepalived-1.2.2-0.mga1.src.rpm
CVE:
Status comment:


Attachments

Description Glen Ogilvie 2012-01-09 21:56:56 CET
Hi,

It would appear from looking at the source of the keepalived package,
that Mageia's keepalived will have the same bug as listed here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619415


IE: 
keepalived/check/ipvswrapper.c: char *argv[] = { "/sbin/modprobe", "-s", "-k", "--", "ip_vs", NULL };


shows the -k option used for modprobe.. but -k is not supported for modprobe.
Comment 1 Manuel Hiebel 2012-01-10 00:13:54 CET
Hi, thanks for reporting this bug.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)
Comment 2 Marja van Waes 2012-04-19 21:55:08 CEST
Still no maintainer

@ Glen

Would it be something for you to maintain this package?
Comment 3 Marja van Waes 2012-05-26 13:04:28 CEST
Hi,

This bug was filed against cauldron, but we do not have cauldron at the moment.

Please report whether this bug is still valid for Mageia 2.

Thanks :)

Cheers,
marja
Comment 4 David Walser 2012-07-11 23:41:10 CEST
There is also CVE-2011-1784:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281

I've uploaded packages for Mageia 1, Mageia 2, and Cauldron with both patches.

Advisory:
========================

Updated keepalived package fixes security vulnerability:

The pidfile_write function in core/pidfile.c in keepalived 1.2.2 and
earlier uses 0666 permissions for the (1) keepalived.pid,
(2) checkers.pid, and (3) vrrp.pid files in /var/run/, which allows
local users to kill arbitrary processes by writing a PID to one of
these files (CVE-2011-1784).

Also, keepalived was failing to load the ip_vs kernel module because
of an incorrect modprobe option.  This has also been corrected.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1784
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619415
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281
========================

Updated packages in core/updates_testing:
========================
keepalived-1.2.2-0.1.mga1
keepalived-1.2.2-1.1.mga2

from SRPMS:
keepalived-1.2.2-0.1.mga1.src.rpm
keepalived-1.2.2-1.1.mga2.src.rpm
Comment 5 David Walser 2012-07-11 23:41:30 CEST
*** Bug 6743 has been marked as a duplicate of this bug. ***
Comment 6 David Walser 2012-07-28 16:21:11 CEST
Another security bug was fixed upstream in 1.2.4.

Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated keepalived package fixes security vulnerability:

The pidfile_write function in core/pidfile.c in keepalived 1.2.2 and
earlier uses 0666 permissions for the (1) keepalived.pid,
(2) checkers.pid, and (3) vrrp.pid files in /var/run/, which allows
local users to kill arbitrary processes by writing a PID to one of
these files (CVE-2011-1784).

A security issue due to syslog being used inside of sighandlers has
also been fixed.

Finally, keepalived was failing to load the ip_vs kernel module
because of an incorrect modprobe option.  This has also been corrected.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1784
http://www.keepalived.org/changelog.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619415
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281
========================

Updated packages in core/updates_testing:
========================
keepalived-1.2.2-0.2.mga1
keepalived-1.2.2-1.2.mga2

from SRPMS:
keepalived-1.2.2-0.2.mga1.src.rpm
keepalived-1.2.2-1.2.mga2.src.rpm
Comment 7 Samuel Verschelde 2012-07-31 21:15:03 CEST
Any clues to test this one? Looks like it doesn't have success among QA team, having a small testing procedure would greatly help :)
Comment 8 Dave Hodgins 2012-07-31 21:34:56 CEST
I'm testing Mageia 1 now.

For testing, at least three systems are needed. Two servers and a client.

I'm using Mageia 2 x86-64 as the client, and two Mageia 1 VirtualBox clients
as the servers (one i586 and one x86-64).

I've now gotten both servers working, such that I can ssh into either of them
from my login on the host.

I've installed keepalived on both servers, and once I have it configured, I
expect to be able to ssh using the virtual ip, have it go to the primary
system, and then with the primary system shutdown, have it go to the secondary
system.

I'll report back shortly, whether it's working as I think it's supposed to.
Comment 9 Dave Hodgins 2012-07-31 21:59:45 CEST
I used the following as a guide for the keepalived setup.
http://www.cyberciti.biz/faq/rhel-centos-fedora-keepalived-lvs-cluster-configuration/

# cat keepalived.conf
vrrp_instance VI_1 {
        interface eth0
        state MASTER
        virtual_router_id 51
        priority 100
        authentication {
            auth_type PASS
            auth_pass mungedforposting
        }
        virtual_ipaddress {
                192.168.10.110/29 dev eth0
        }
}

Same config on the secondary, except priority 101. The primary (i1) is on
192.168.10.103 and the secondary (x1) is on 192.168.10.105.  After starting
keepalived on both systems, I can ping 192.168.10.110 from the host, which
is on 192.168.10.102.

In my ~/.ssh/config on the host, I have
Host vip
 Hostname 192.168.10.110
 Port 22
 User dave
 Compression yes
 CompressionLevel 9
 ServerAliveInterval 120

[dave@x2 ~]$ ssh vip
Warning: Permanently added '192.168.10.110' (RSA) to the list of known hosts.
Last login: Tue Jul 31 15:28:29 2012 from x2.hodgins.homeip.net
[dave@i1 ~]$ exit
logout
Connection to 192.168.10.110 closed.
<shutdown the i1 (Mageia 1 i586 system)>
[dave@x2 ~]$ ssh vip
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
a2:42:2e:8b:61:be:61:c8:d7:93:b4:65:00:02:61:d6.
Please contact your system administrator.
Add correct host key in /home/dave/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/dave/.ssh/known_hosts:79
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
X11 forwarding is disabled to avoid man-in-the-middle attacks.
Last login: Tue Jul 31 15:28:35 2012 from x2.hodgins.homeip.net
[dave@x1 ~]$ exit
logout
Connection to 192.168.10.110 closed.

Looks like I forgot to copy the host keys. :-)

Testing complete on Mageia 1 i586 and x86-64.

I'll test Mageia 2 once I get the virtualbox servers setup.
Comment 10 Dave Hodgins 2012-07-31 22:07:24 CEST
Whoops!.  Not ok on Mageia 1

# ll /var/run/vrrp.pid /var/run/keepalived.pid 
-rw-rw-rw- 1 root root 5 Jul 31 16:03 /var/run/keepalived.pid
-rw-rw-rw- 1 root root 5 Jul 31 16:03 /var/run/vrrp.pid

The files are still other writable.

# rpm -qa|grep keepalived
keepalived-1.2.2-0.2.mga1
Comment 11 David Walser 2012-07-31 22:26:09 CEST
Thanks for testing, the patches weren't applied in the Mageia 1 packaged.

Fixed package uploaded.

Advisory:
========================

Updated keepalived package fixes security vulnerability:

The pidfile_write function in core/pidfile.c in keepalived 1.2.2 and
earlier uses 0666 permissions for the (1) keepalived.pid,
(2) checkers.pid, and (3) vrrp.pid files in /var/run/, which allows
local users to kill arbitrary processes by writing a PID to one of
these files (CVE-2011-1784).

A security issue due to syslog being used inside of sighandlers has
also been fixed.

Finally, keepalived was failing to load the ip_vs kernel module
because of an incorrect modprobe option.  This has also been corrected.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1784
http://www.keepalived.org/changelog.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619415
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281
========================

Updated packages in core/updates_testing:
========================
keepalived-1.2.2-0.3.mga1
keepalived-1.2.2-1.2.mga2

from SRPMS:
keepalived-1.2.2-0.3.mga1.src.rpm
keepalived-1.2.2-1.2.mga2.src.rpm
Comment 12 Dave Hodgins 2012-08-01 00:02:09 CEST
With keepalived-1.2.2-0.3.mga1 installed I'm still getting
-rw-rw-rw- 1 root  root          5 Jul 31 18:01 vrrp.pid
-rw-rw-rw- 1 root  root          5 Jul 31 18:01 keepalived.pid
on both i586 and x86-64.
Comment 13 David Walser 2012-08-01 00:07:18 CEST
Sorry, this spec file was all messed up.  It's really fixed now.

Advisory:
========================

Updated keepalived package fixes security vulnerability:

The pidfile_write function in core/pidfile.c in keepalived 1.2.2 and
earlier uses 0666 permissions for the (1) keepalived.pid,
(2) checkers.pid, and (3) vrrp.pid files in /var/run/, which allows
local users to kill arbitrary processes by writing a PID to one of
these files (CVE-2011-1784).

A security issue due to syslog being used inside of sighandlers has
also been fixed.

Finally, keepalived was failing to load the ip_vs kernel module
because of an incorrect modprobe option.  This has also been corrected.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1784
http://www.keepalived.org/changelog.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619415
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281
========================

Updated packages in core/updates_testing:
========================
keepalived-1.2.2-0.4.mga1
keepalived-1.2.2-1.2.mga2

from SRPMS:
keepalived-1.2.2-0.4.mga1.src.rpm
keepalived-1.2.2-1.2.mga2.src.rpm
Comment 14 Dave Hodgins 2012-08-01 00:56:03 CEST
-rw-r--r-- 1 root   root          5 Jul 31 18:53 vrrp.pid
-rw-r--r-- 1 root   root          5 Jul 31 18:53 keepalived.pid

Confirmed fixed, and package is working.

Testing complete on Mageia 1.
Comment 15 Dave Hodgins 2012-08-01 02:03:49 CEST
Testing complete on Mageia 2.

Could someone from the sysadmin team push the srpm
keepalived-1.2.2-1.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
keepalived-1.2.2-0.4.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated keepalived package fixes security vulnerability:

The pidfile_write function in core/pidfile.c in keepalived 1.2.2 and
earlier uses 0666 permissions for the (1) keepalived.pid,
(2) checkers.pid, and (3) vrrp.pid files in /var/run/, which allows
local users to kill arbitrary processes by writing a PID to one of
these files (CVE-2011-1784).

A security issue due to syslog being used inside of sighandlers has
also been fixed.

Finally, keepalived was failing to load the ip_vs kernel module
because of an incorrect modprobe option.  This has also been corrected.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1784
http://www.keepalived.org/changelog.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619415
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281

https://bugs.mageia.org/show_bug.cgi?id=4084
Comment 16 Thomas Backlund 2012-08-02 20:22:01 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0188

Note You need to log in before you can comment on or make changes to this bug.