CVE-2018-1088
First published: Tue Mar 20 2018(Updated: )
A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/glusterfs | <0:3.8.4-54.7.el6 | 0:3.8.4-54.7.el6 |
| redhat/glusterfs | <0:3.8.4-54.6.el7 | 0:3.8.4-54.6.el7 |
| redhat/redhat-release-virtualization-host | <0:4.1-11.0.el7 | 0:4.1-11.0.el7 |
| redhat/imgbased | <0:1.0.16-0.1.el7e | 0:1.0.16-0.1.el7e |
| redhat/ovirt-node-ng | <0:4.2.0-0.20170814.0.el7 | 0:4.2.0-0.20170814.0.el7 |
| redhat/redhat-release-virtualization-host | <0:4.2-3.0.el7 | 0:4.2-3.0.el7 |
| redhat gluster storage | >=3.0<=3.13.2 | |
| Red Hat Enterprise Virtualization | =4.0 | |
| redhat virtualization host | =4.0 | |
| redhat enterprise Linux server | =6.0 | |
| redhat enterprise Linux server | =7.0 | |
| openSUSE | =15.1 | |
| Debian Debian Linux | =9.0 |
Remedy
To limit exposure of gluster server nodes : 1. gluster server should be on LAN and not reachable from public networks. 2. Use gluster auth.allow and auth.reject. 3. Use TLS certificates between gluster server nodes and clients. Caveat: This would only mitigate attacks from unauthorized malicious clients. gluster clients allowed by auth.allow or having signed TLS client certificates would still be able to trigger this attack.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2018-1088 https://nvd.nist.gov/vuln/detail/CVE-2018-1088 https://access.redhat.com/articles/3414511
- https://bugzilla.redhat.com/show_bug.cgi?id=1558721
- https://access.redhat.com/errata/RHSA-2018:1137
- https://access.redhat.com/errata/RHSA-2018:1136
- https://access.redhat.com/errata/RHSA-2018:1275
- https://access.redhat.com/errata/RHSA-2018:1524
- https://access.redhat.com/security/cve/CVE-2018-1088
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html
- https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html
- https://security.gentoo.org/glsa/201904-06
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1568832
- https://access.redhat.com/articles/3414511
- https://review.gluster.org/#/c/19899/
- https://review.gluster.org/#/c/19898/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2018-1088?
CVE-2018-1088 is a privilege escalation flaw in the gluster snapshot scheduler.
What is the severity of CVE-2018-1088?
CVE-2018-1088 has a severity rating of 8.3 (high).
How can an attacker exploit CVE-2018-1088?
An attacker can exploit CVE-2018-1088 by mounting shared gluster storage volume and scheduling a malicious cronjob via symlink.
Which version of gluster is affected by CVE-2018-1088?
Gluster versions up to exclusive 3.8.4-54.7.el6 and up to exclusive 3.8.4-54.6.el7 are affected by CVE-2018-1088.
What is the remedy for CVE-2018-1088?
To remediate CVE-2018-1088, upgrade to gluster versions that are equal to or above 3.8.4-54.7.el6 and 3.8.4-54.6.el7.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-1088
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/remedy
- agent/severity
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/redhat
- canonical/redhat gluster storage
- version/redhat gluster storage/3.0
- version/redhat gluster storage/3.13.2
- canonical/red hat enterprise virtualization
- version/red hat enterprise virtualization/4.0
- canonical/redhat virtualization host
- version/redhat virtualization host/4.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- vendor/opensuse
- canonical/opensuse
- version/opensuse/15.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0