CVE-2021-3020
Description
The setuid binary hawk_invoke in Hawk (HA Web Konsole) can be used by the hacluster user to execute an unrestricted interactive shell, enabling privilege escalation to root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The setuid binary hawk_invoke in Hawk (HA Web Konsole) can be used by the hacluster user to execute an unrestricted interactive shell, enabling privilege escalation to root.
Vulnerability
An issue exists in ClusterLabs Hawk (HA Web Konsole) through version 2.3.0-15. The package ships a setuid binary hawk_invoke (built from tools/hawk_invoke.c), intended to allow the hacluster user to execute a limited set of commands as root. However, the implementation fails to restrict the execution to safe commands, allowing the hacluster user to run an interactive shell without limitations. The vulnerable versions include Hawk 2.3.0-15 and earlier [1][2].
Exploitation
The attacker must have access as the hacluster user, which is a legitimate system user for the cluster management. No additional authentication or privileges are required beyond this user account. The hacluster user can invoke hawk_invoke to execute an unrestricted interactive shell (e.g., /bin/sh), bypassing the intended command restrictions [1][2].
Impact
Successful exploitation allows the hacluster user to execute arbitrary commands as root, leading to full compromise of the affected system. The attacker gains root-level privileges, enabling complete control over the host, including reading and writing all files, installing software, and pivoting within the network [1][2].
Mitigation
The fix has been applied in Hawk version 2.6.15 for SLE15 and 2.6.12 for SLE12, which removes the hawk_invoke C binary and uses capture3 for running system commands instead of the runas construct that called hawk_invoke. Users should upgrade to the latest release from the official repository [2]. There is no known workaround for vulnerable versions other than upgrading.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9- ClusterLabs/Hawkdescription
- Range: <=2.3.0-15
- osv-coords7 versionspkg:rpm/opensuse/crmsh&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/crmsh&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2012%20SP3pkg:rpm/suse/crmsh&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2012%20SP4pkg:rpm/suse/crmsh&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2012%20SP5pkg:rpm/suse/crmsh&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015pkg:rpm/suse/crmsh&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/crmsh&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2
< 4.3.0+20210305.9db5c9a8-lp152.4.47.1+ 6 more
- (no CPE)range: < 4.3.0+20210305.9db5c9a8-lp152.4.47.1
- (no CPE)range: < 3.0.4+git.1614156978.4c1dc46d-13.62.1
- (no CPE)range: < 4.1.0+git.1614156984.f4f5e146-2.56.2
- (no CPE)range: < 4.1.0+git.1614156984.f4f5e146-2.56.2
- (no CPE)range: < 4.3.0+20210219.5d1bf034-3.62.3
- (no CPE)range: < 4.3.0+20210219.5d1bf034-3.57.3
- (no CPE)range: < 4.3.0+20210305.9db5c9a8-5.42.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The setuid binary hawk_invoke fails to restrict command execution to a safe whitelist, allowing the hacluster user to spawn an unrestricted interactive shell as root."
Attack vector
The `hacluster` user, who already has limited system access, can invoke `hawk_invoke` to execute an interactive shell as root. Because `hawk_invoke` does not sufficiently restrict which commands can be run, the user can bypass the intended safe-command whitelist and gain a full root shell. No additional authentication is needed because the binary is setuid root and the `hacluster` user is authorized to run it.
Affected code
The vulnerability involves the setuid binary `hawk_invoke` (built from `tools/hawk_invoke.c`), which is shipped with ClusterLabs Hawk through version 2.3.0-15. This binary is intended to allow the `hacluster` user to invoke certain commands as root, but it permits execution of an interactive shell that is not restricted to the intended safe command set.
What the fix does
The referenced commit [ref_id=1] addresses a related but separate issue in the crmsh bootstrap SSH setup (CVE-2020-3517), not the `hawk_invoke` setuid binary. No patch for the `hawk_invoke` vulnerability described in CVE-2021-3020 is included in the bundle. The advisory does not specify a fix; it only documents that the binary ships with an unrestricted shell capability that allows privilege escalation.
Preconditions
- authAttacker must have access as the hacluster user on the system
- configThe hawk_invoke binary must be present and setuid root (default installation)
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- bugzilla.suse.com/show_bug.cgimitrex_refsource_MISC
- github.com/ClusterLabs/crmsh/commit/c538024b8ebd138dc373b005189471d9b77e9c82mitrex_refsource_MISC
- github.com/ClusterLabs/hawk/releasesmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.