CVE-2020-35458

Vulnerability

A Ruby shell code injection vulnerability exists in ClusterLabs Hawk 2.x through version 2.3.0-x. The hawk_remember_me_id cookie value is passed unquoted and unfiltered into a shell command using Ruby's %x{} construct (or similar shell execution pattern) during the logout routine and the login-from-cookie path. This allows an attacker to inject arbitrary shell metacharacters via the cookie value. All Hawk versions from 2.2 up to and including 2.3.0-x are affected [1][2][3].

Exploitation

An unauthenticated remote attacker can trigger the vulnerable code path by making an HTTP request to /logout (or /login with the login_from_cookie parameter) and supplying a malicious hawk_remember_me_id cookie value containing shell injection payloads. No prior authentication or user interaction is required. The cookie value is directly interpolated into a command line string without sanitization, allowing the attacker to append arbitrary commands [2][3].

Impact

Successful exploitation allows the attacker to execute arbitrary system commands with the privileges of the hauser user (the account under which the Hawk web server runs). This results in full compromise of the Hawk service and can be leveraged to attack the underlying Pacemaker/Corosync cluster infrastructure. The impact includes remote code execution (RCE) and privilege escalation from unauthenticated network access to code execution as hauser [2][3].

Mitigation

A fix was released on 2021-01-12 in hawk2 versions 2.4.0+git.1607523195.05cd3222 (for SLE 12-SP4/SP5) and 2.3.0+git.1603969748.10468582 (for SLE 15/SP1/SP2) [1][4]. The advisory recommends upgrading to these fixed versions. No workaround is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.