Headline
CVE-2022-1049: Improper Authorization in pcs
A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login.
Description
Pacemakers daemon pcsd allows authentication via PAMs pam_authenticate. Unfortunately the authorization via pam_acct_mgmt has been omitted. Therefore unprivileged expired accounts that have been denied access can still login.
Proof of Concept
You can expire an account with chage -E0 <username>
Impact
Since disabling an account in PAM still allows to login via ssh-keys, it’s common to set accounts to expire if you want to deny access. So accounts who technically don’t have any privilege are still allowed to login here. This also counts for accounts with expired passwords. A fix is supplied in the report.
Related news
Red Hat Security Advisory 2022-7935-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.
An update for pcs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1049: pcs: improper authentication via PAM
An update for pcs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1049: pcs: improper authentication via PAM