CVE-2020-25654 Overview
An Access Control List (ACL) bypass vulnerability was discovered in ClusterLabs Pacemaker, the widely-used open-source high-availability cluster resource manager. This flaw allows attackers with a local account on the cluster who are members of the haclient group to bypass ACL restrictions by communicating directly with various Pacemaker daemons through Inter-Process Communication (IPC) mechanisms. This bypass enables unauthorized execution of privileged cluster management tasks that would normally be restricted by the configured ACLs.
Critical Impact
Local attackers in the haclient group can bypass ACL restrictions and perform unauthorized cluster management operations, potentially compromising the integrity and availability of high-availability clusters.
Affected Products
- ClusterLabs Pacemaker (versions prior to security fix)
- ClusterLabs Pacemaker 2.0.5-rc1
- Debian Linux 9.0
Discovery Timeline
- 2020-11-24 - CVE-2020-25654 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-25654
Vulnerability Analysis
This vulnerability represents an Authorization Bypass flaw (CWE-284: Improper Access Control) in Pacemaker's access control implementation. The core issue lies in how Pacemaker handles IPC communications between local users and its daemon processes. While Pacemaker implements ACLs to restrict what actions users can perform through the standard configuration interface, these restrictions can be circumvented when users communicate directly with the underlying daemons via IPC.
The attack requires the attacker to have a local account on a cluster node and membership in the haclient group, which is the standard group used for Pacemaker cluster administration. Users in this group have legitimate access to communicate with Pacemaker services, but the ACL enforcement was designed to limit their capabilities based on configured policies. The vulnerability allows these users to bypass the policy enforcement layer entirely.
Root Cause
The root cause of this vulnerability is improper enforcement of access controls at the IPC layer. Pacemaker's architecture separates the configuration interface from the backend daemons, with ACLs enforced at the configuration layer. However, the IPC communication channels between local processes and Pacemaker daemons did not properly enforce the same ACL restrictions. This architectural oversight means that users who can directly access the IPC mechanisms can perform operations that should require elevated permissions, effectively rendering the ACL configuration ineffective for local privileged group members.
Attack Vector
The attack vector for CVE-2020-25654 involves a local attacker who already has legitimate access to a cluster node as a member of the haclient group. Rather than using the standard crm or pcs command-line tools (which enforce ACLs), the attacker can craft direct IPC messages to Pacemaker daemons such as pacemaker-based, pacemaker-controld, or pacemaker-attrd. By bypassing the configuration layer, the attacker can execute privileged operations including modifying cluster configuration, manipulating resource states, or disrupting cluster operations—all actions that their assigned ACL role should prevent.
The vulnerability is particularly concerning in multi-tenant or shared cluster environments where ACLs are relied upon to provide separation of duties and limit the blast radius of compromised accounts.
Detection Methods for CVE-2020-25654
Indicators of Compromise
- Unusual IPC activity from users in the haclient group that bypasses standard cluster management tools
- Cluster configuration changes that do not appear in standard audit logs from crm or pcs commands
- Direct socket connections to Pacemaker daemon IPC endpoints from unexpected processes
- Cluster resource state modifications without corresponding authorized configuration changes
Detection Strategies
- Monitor IPC communications to Pacemaker daemons using auditd rules on relevant socket files
- Compare cluster configuration changes against authorized change management records
- Implement logging of all direct daemon communications at the Pacemaker level
- Review haclient group membership regularly to ensure only authorized users have access
Monitoring Recommendations
- Enable comprehensive audit logging for Pacemaker operations and cluster state changes
- Monitor for anomalous patterns in cluster management activity outside normal operational windows
- Set up alerts for cluster configuration modifications that don't originate from approved administrative interfaces
- Track membership changes to the haclient group and correlate with authorization requests
How to Mitigate CVE-2020-25654
Immediate Actions Required
- Apply vendor security patches for Pacemaker from your distribution's package repository
- Review and audit all members of the haclient group to ensure only trusted administrators have access
- Implement network isolation for cluster management interfaces where possible
- Monitor cluster activity for signs of unauthorized modifications
Patch Information
ClusterLabs has addressed this vulnerability in updated versions of Pacemaker. Administrators should consult the ClusterLabs User Mailing List announcement for specific version details. Distribution-specific patches are available:
- Debian: Security update available via Debian LTS announcement
- Gentoo: Addressed in GLSA 2023-09-09
- Red Hat/CentOS: Tracked in Red Hat Bugzilla #1888191
Workarounds
- Restrict haclient group membership to only essential, highly-trusted administrators
- Implement additional host-based access controls (such as SELinux or AppArmor policies) to limit IPC access to Pacemaker daemons
- Use network segmentation to isolate cluster nodes from untrusted network segments
- Enable enhanced auditing and monitoring until patches can be applied
# Review haclient group membership
getent group haclient
# Audit Pacemaker IPC socket access (add to auditd rules)
-w /var/run/pacemaker/ -p rwxa -k pacemaker_ipc
# Check current Pacemaker version
pacemakerd --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
