hawk: Insecure file permissions

Vulnerability

CVE-2021-25314 is a creation of temporary file with insecure permissions vulnerability in hawk2, the web interface for SUSE Linux Enterprise High Availability. The vulnerability exists in hawk/app/lib/invoker.rb and hawk/app/lib/crm_script.rb, where temporary files are created with world-writable permissions (File.chmod(0666, f.path)). These files can be modified by any local user. Affected versions are: SUSE Linux Enterprise High Availability 12-SP3 and 12-SP5 with hawk2 versions prior to 2.6.3+git.1614685906.812c31e9, and SUSE Linux Enterprise High Availability 15-SP2 with hawk2 versions prior to 2.6.3+git.1614684118.af555ad9. [1]

Exploitation

A local attacker with standard user access to the system can exploit the insecure temporary file permissions. In invoker.rb, an attacker can modify the temporary file used for a crm configure load update command, allowing arbitrary changes to the Cluster Information Base (CIB). In crm_script.rb, the attacker can modify a temporary file that is later passed to crm as a script; because crm is powerful and can be misused in various ways, this can lead to arbitrary command execution as root. No authentication beyond local access is required. [1]

Impact

Successful exploitation allows a local attacker to escalate privileges to root. By modifying temporary files used by hawk2, an attacker can manipulate cluster configuration or execute arbitrary commands with root privileges, leading to full compromise of the system and the high-availability cluster. [1]

Mitigation

SUSE has released fixed versions: hawk2-2.6.3+git.1614685906.812c31e9 for SLES HA 12-SP3 and 12-SP5, and hawk2-2.6.3+git.1614684118.af555ad9 for SLES HA 15-SP2. Users should update to these versions or later. No workaround is provided in the available references. [1]