Symlink attack in Red Hat Gluster Storage Server

Published: 2018-04-25

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2018-1088
CWE-ID	CWE-61
Exploitation vector	Local network
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software Subscribe	Red Hat Gluster Storage Server for On-premise Server applications / File servers (FTP/HTTP)
Vendor	Red Hat Inc.

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Symlink attack

EUVDB-ID: #VU12150

Risk: Low

CVSSv3.1: 7.9 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-1088

CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following

Exploit availability: Yes

Description

The vulnerability allows an adjacent unauthenticated attacker to gain elevated privileges on the target system.

The weakness exists in the snapshot scheduler due to improper security restrictions during the mounting of gluster volumes. An adjacent attacker can access a gluster node, perform symbolic link attack that is designed to schedule malicious cronjobs and gain root privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Red Hat Gluster Storage Server for On-premise: 3 - 3.13.2

CPE2.3

External links

http://access.redhat.com/security/cve/cve-2018-1088

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.