RHSA-2019:2285

https://bugzilla.suse.com/show_bug.cgi?id=1015141

https://github.com/acassen/keepalived/commit/04f2d32871bb3b11d7dc024039952f2fe2750306

https://github.com/acassen/keepalived/issues/1048

GLSA-201903-01

According to the version of the keepalived package installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - keepalived 2.0.8 didn't check for pathnames with     symlinks when writing data to a temporary file upon a     call to PrintData or PrintStats. This allowed local     users to overwrite arbitrary files if     fs.protected_symlinks is set to 0, as demonstrated by a     symlink from /tmp/keepalived.data or     /tmp/keepalived.stats to /etc/passwd.(CVE-2018-19044)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

keepalived 2.0.8 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd.
(CVE-2018-19044 )

According to the version of the keepalived package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability :

  - keepalived 2.0.8 didn't check for pathnames with     symlinks when writing data to a temporary file upon a     call to PrintData or PrintStats. This allowed local     users to overwrite arbitrary files if     fs.protected_symlinks is set to 0, as demonstrated by a     symlink from /tmp/keepalived.data or     /tmp/keepalived.stats to /etc/passwd.(CVE-2018-19044)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the keepalived package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - keepalived 2.0.8 didn't check for pathnames with     symlinks when writing data to a temporary file upon a     call to PrintData or PrintStats. This allowed local     users to overwrite arbitrary files if     fs.protected_symlinks is set to 0, as demonstrated by a     symlink from /tmp/keepalived.data or     /tmp/keepalived.stats to /etc/passwd.(CVE-2018-19044)

  - keepalived before 2.0.7 has a heap-based buffer     overflow when parsing HTTP status codes resulting in     DoS or possibly unspecified other impact, because     extract_status_code in lib/html.c has no validation of     the status code and instead writes an unlimited amount     of data to the heap.(CVE-2018-19115)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the keepalived package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - keepalived 2.0.8 didn't check for pathnames with     symlinks when writing data to a temporary file upon a     call to PrintData or PrintStats. This allowed local     users to overwrite arbitrary files if     fs.protected_symlinks is set to 0, as demonstrated by a     symlink from /tmp/keepalived.data or     /tmp/keepalived.stats to /etc/passwd.(CVE-2018-19044)

  - keepalived 2.0.8 didn't check for existing plain files     when writing data to a temporary file upon a call to     PrintData or PrintStats. If a local attacker had     previously created a file with the expected name (e.g.,     /tmp/keepalived.data or /tmp/keepalived.stats), with     read access for the attacker and write access for the     keepalived process, then this potentially leaked     sensitive information.(CVE-2018-19046)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has keepalived packages installed that are affected by a vulnerability:

  - keepalived 2.0.8 didn't check for pathnames with     symlinks when writing data to a temporary file upon a     call to PrintData or PrintStats. This allowed local     users to overwrite arbitrary files if     fs.protected_symlinks is set to 0, as demonstrated by a     symlink from /tmp/keepalived.data or     /tmp/keepalived.stats to /etc/passwd. (CVE-2018-19044)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has keepalived packages installed that are affected by a vulnerability:

  - keepalived 2.0.8 didn't check for pathnames with     symlinks when writing data to a temporary file upon a     call to PrintData or PrintStats. This allowed local     users to overwrite arbitrary files if     fs.protected_symlinks is set to 0, as demonstrated by a     symlink from /tmp/keepalived.data or     /tmp/keepalived.stats to /etc/passwd. (CVE-2018-19044)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

keepalived 2.0.8 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd.(CVE-2018-19044)

An update for keepalived is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The keepalived utility provides simple and robust facilities for load balancing and high availability. The load balancing framework relies on the well-known and widely used IP Virtual Server (IPVS) kernel module providing layer-4 (transport layer) load balancing. Keepalived implements a set of checkers to dynamically and adaptively maintain and manage a load balanced server pool according to the health of the servers. Keepalived also implements the Virtual Router Redundancy Protocol (VRRPv2) to achieve high availability with director failover.

Security Fix(es) :

* keepalived: Improper pathname validation allows for overwrite of arbitrary filenames via symlinks (CVE-2018-19044)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Security Fix(es) :

  - keepalived: Improper pathname validation allows for     overwrite of arbitrary filenames via symlinks     (CVE-2018-19044)

An update of the keepalived package has been released.

This update for keepalived to version 2.0.10 fixes the following issues :

Security issues fixed (bsc#1015141) :

  - CVE-2018-19044: Fixed a check for pathnames with     symlinks when writing data to a temporary file upon a     call to PrintData or PrintStats

  - CVE-2018-19045: Fixed mode when creating new temporary     files upon a call to PrintData or PrintStats

  - CVE-2018-19046: Fixed a check for existing plain files     when writing data to a temporary file upon a call to     PrintData or PrintStats

Non-security issues fixed :

  - Replace references to /var/adm/fillup-templates with new     %_fillupdir macro (boo#1069468)

  - Use getaddrinfo instead of gethostbyname to workaround     glibc gethostbyname function buffer overflow     (bsc#949238)

For the full list of changes refer to:
http://www.keepalived.org/changelog.html

The remote host is affected by the vulnerability described in GLSA-201903-01 (Keepalived: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in keepalived. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could send a specially crafted request possibly       resulting in a Denial of Service condition. A local attacker could       perform symlink attacks to overwrite arbitrary files with the privileges       of the user running the application.
  Workaround :

    There is no known workaround at this time.

Security fix for CVE-2018-19044, CVE-2018-19045, CVE-2018-19046, CVE-2018-19115

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
140890	EulerOS 2.0 SP3 : keepalived (EulerOS-SA-2020-2123)	Nessus	Huawei Local Security Checks	low
139548	Amazon Linux AMI : keepalived (ALAS-2020-1414)	Nessus	Amazon Linux Local Security Checks	low
136264	EulerOS Virtualization for ARM 64 3.0.2.0 : keepalived (EulerOS-SA-2020-1561)	Nessus	Huawei Local Security Checks	low
135655	EulerOS Virtualization 3.0.2.2 : keepalived (EulerOS-SA-2020-1493)	Nessus	Huawei Local Security Checks	high
135144	EulerOS Virtualization for ARM 64 3.0.6.0 : keepalived (EulerOS-SA-2020-1357)	Nessus	Huawei Local Security Checks	low
133991	EulerOS 2.0 SP8 : keepalived (EulerOS-SA-2020-1157)	Nessus	Huawei Local Security Checks	low
132488	NewStart CGSL CORE 5.05 / MAIN 5.05 : keepalived Vulnerability (NS-SA-2019-0240)	Nessus	NewStart CGSL Local Security Checks	low
132359	EulerOS 2.0 SP5 : keepalived (EulerOS-SA-2019-2692)	Nessus	Huawei Local Security Checks	low
131407	NewStart CGSL CORE 5.04 / MAIN 5.04 : keepalived Vulnerability (NS-SA-2019-0219)	Nessus	NewStart CGSL Local Security Checks	low
130220	Amazon Linux 2 : keepalived (ALAS-2019-1323)	Nessus	Amazon Linux Local Security Checks	low
128384	CentOS 7 : keepalived (CESA-2019:2285)	Nessus	CentOS Local Security Checks	low
128225	Scientific Linux Security Update : keepalived on SL7.x x86_64 (20190806)	Nessus	Scientific Linux Local Security Checks	low
127706	RHEL 7 : keepalived (RHSA-2019:2285)	Nessus	Red Hat Local Security Checks	low
126112	Photon OS 3.0: Keepalived PHSA-2019-3.0-0015	Nessus	PhotonOS Local Security Checks	high
123152	openSUSE Security Update : keepalived (openSUSE-2019-1008)	Nessus	SuSE Local Security Checks	medium
122920	Photon OS 1.0: Keepalived PHSA-2019-1.0-0212	Nessus	PhotonOS Local Security Checks	high
122916	Photon OS 2.0: Keepalived PHSA-2019-2.0-0134	Nessus	PhotonOS Local Security Checks	high
122729	GLSA-201903-01 : Keepalived: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
120373	Fedora 29 : keepalived (2018-3fbc181b3e)	Nessus	Fedora Local Security Checks	high
119854	openSUSE Security Update : keepalived (openSUSE-2018-1575)	Nessus	SuSE Local Security Checks	medium

CVE-2018-19044

LOW

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

low

low

low

high

low

low

low

low

low

low

low

low

low

high

medium

high

high

high

high

medium