A privilege escalation flaw was found in gluster snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.
Find out more about CVE-2018-1088 from the MITRE CVE dictionary dictionary and NIST NVD.
This vulnerability affects gluster servers that have, or have previously had, Gluster volume snapshot scheduling enabled from the CLI. Red Hat Enterprise Virtualization supports volume snapshot scheduling from the Web UI, which uses a distinct mechanism that is not subject to this vulnerability. VM snapshots are not impacted by this flaw. For more information, please see the Vulnerability Article linked under External References.
This issue did not affect the versions of glusterfs as shipped with Red Hat Enterprise Linux 6, and 7 because only gluster client is shipped in these products. CVE-2018-1088 affects glusterfs-server package as shipped with Red Hat Gluster Storage 3.
| CVSS3 Base Score | 8.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Attack Vector | Adjacent Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts | RHSA-2018:1524 | 2018-05-15 |
| Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts (redhat-release-virtualization-host) | RHSA-2018:1275 | 2018-05-02 |
| Red Hat Storage Native Client for Red Hat Enterprise Linux 7 (glusterfs) | RHSA-2018:1136 | 2018-04-18 |
| Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts | RHSA-2018:1136 | 2018-04-18 |
| Red Hat Gluster Storage Server 3.3 on RHEL-6 (glusterfs) | RHSA-2018:1137 | 2018-04-18 |
| Red Hat Gluster Storage Server 3.3 on RHEL-7 (glusterfs) | RHSA-2018:1136 | 2018-04-18 |
| Red Hat Storage Native Client for Red Hat Enterprise Linux 6 (glusterfs) | RHSA-2018:1137 | 2018-04-18 |
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 7 | glusterfs | Not affected |
| Red Hat Enterprise Linux 6 | glusterfs | Not affected |
To limit exposure of gluster server nodes :
1. gluster server should be on LAN and not reachable from public networks.
2. Use gluster auth.allow and auth.reject.
3. Use TLS certificates between gluster server nodes and clients.
Caveat: This would only mitigate attacks from unauthorized malicious clients. gluster clients allowed by auth.allow or having signed TLS client certificates would still be able to trigger this attack.
Vulmon