CVE-2018-19044

keepalived 2.0.8 didnt check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd.

Weakness

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Affected Software

Potential Mitigations

• Follow the principle of least privilege when assigning access rights to entities in a software system.
• Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/132.html
• https://cwe.mitre.org/data/definitions/17.html
• https://cwe.mitre.org/data/definitions/35.html
• https://cwe.mitre.org/data/definitions/76.html

References

• https://access.redhat.com/errata/RHSA-2019:2285
• https://bugzilla.suse.com/show_bug.cgi?id=1015141
• https://github.com/acassen/keepalived/commit/04f2d32871bb3b11d7dc024039952f2fe2750306
• https://github.com/acassen/keepalived/issues/1048
• https://security.gentoo.org/glsa/201903-01