summaryrefslogtreecommitdiffstats
path: root/doc/security.txt
blob: c211bf0d9be06aedcd53a24d2baf450549101cf0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
Points of Entry
##################

Inter CRM Messaging
=======================
Security relies on the existing systems in place for sending HA
Messages.  The assumption here is that once a member node has been
compromised, you've pretty much had it anyway.

CRM Internal Messaging
=======================
Security relies on the existing systems in place for sending IPC
Messages.  Remember, once a member node has been compromised, you've
pretty much had it anyway.

Admin client X, Y
=======================
Security replies on standard RPC mechanisms of hosts.allow/hosts.deny
etc.  It is likely that this would be augmented by adding an identity
store (leading candidates would be the CIB and /etc/passwd) and
authorization mechanisms to the CRM RPC Server processes.

To achieve a moderately sensible level of security granularity, the API
should at least be split up into the following list of RPC Servers:

cib_delete
cib_update
cib_create
crm_admin


Admin client Z
=======================
See: Inter CRM Messaging

Potential Exploits
=======================
These exclude things like faking HA Messages, hacking IPC fifo's and for
the moment packet sniffing of RPC requests.

The "Measures" section is intended to contain measures to prevent the
attack or to at least raise the bar for potential intruders.

Exploit Class #1
	Desc: Impersonate the DC
	Requires: Access to the DC
		  Ability to register with heartbeat as it is currently running[1]
	Measures: 1, 2, 3, 4, 5

Exploit Class #2
	Desc: Impersonate the local CRMd
	Requires: Access to the member node
		  Ability to reconfigure and restart heartbeat
	Measures: 4, 5, 7
	Notes: This attack is pretty much limited to the local node (and any
		  shared resources :cringe:) which is no more than they could
		  do with access to the node anyway.

Exploit Class #3
	Desc: Impersonate a local CRMd client
	Requires: Access to a member node
	Measures: 1, 6

Exploit Class #4
	Desc: Rogue Admin client (Type Z)
	Requires: Access to a member node
		  Ability to construct valid XML message
		  a) Ability to reconfigure and restart heartbeat, or
		  b) Ability to register with Heartbeat with a currently unused
		     client name
	Measures: 8, ?
	Notes: This is probably the second worst scenario, about all we could potentially do
	       is implement behavioural pattern recognition and that is :definitely: not
	       going to be in 1.0 :)

Exploit Class #5
	Desc: Rogue Admin client (Type X or Y)
	Requires: Access to the CRM RPC API
		  Access to a host with sufficient RPC permissions
	Measures: 8, 9
	Notes: This :is: the worst scenario, attackers don't even need access to a member
	       node or modify/interrogate the Heartbeat config.  Again, about all we could
	       potentially do is implement behavioural pattern recognition.

Exploit Class #6
	Desc: Data interception - Rogue Admin client (Type Y)
	Requires: Access to the RPC API
		  Knowledge of a current, valid and unchecked ticket ID[5]
	Measures: 8, 9, 10

Exploit Class #7
	Desc: Malicious user (Using a Known Admin Client)
	Requires: Access to a host with sufficient RPC permissions
		  Access to an existing admin client
		  a) Access to an identity that the RPC servers deem to have sufficient permissions, or
		  b) Access to an admin client that passes a pre-defined set of credentials, not the users
	Measures: 8, 9, 10, 11

List of Measures
=================
Measure 1: As the CRMd, verify the "type" attribute when routing IPC messages from
	   sub-systems and discard if it is not a response[2]

Measure 2: As the CRMd, verfiy the "from" field on incoming messages and discard
	   if it is not "admin" or "dc"

Measure 3: As the CRMd, verfiy F_ORIG against known value for the DC.  Only the DC
	   should be sending us messages[3]

Measure 4: As Heartbeat, only allow clients registered as "crmd" to send messages
	   with F_TYPE="CRM"

Measure 5: Respawn the CRMd if it is stopped and drop out of the cluster if
	   multiple HA clients are trying to register as "crmd"[4]

Measure 6: As CRMd, cause Heartbeat to drop out of the cluster if multiple clients
	   are trying to register as the same sub-system.

Measure 7: As the CIB, detect multiple active registrations and shutdown
	   when this is detected.

Measure 8: Require the admin clients to provide a credential which must be matched
	   against an identity store.[6][7]

Measure 9: Configure RPC security appropriately

Measure 10: Invalidate the ticket and the result set once the ticket has been used.

Measure 11: Don't create admin clients that pass a pre-defined set of credentials

[1] Shutting down Heartbeat to change permissions would mean the DC is
    assigned elsewhere anyway
[2] Sub-systems other than the CRMs/DC should not be making requests
[3] If not implemented, then this exploit would only require access to any
    member node
[4] This is currently reported as an error and the second attempt is denied
[5] It is envisioned that in the case of asynchronous RPC calls, that a
    "ticket" would be issued that the client would use to ask for a result,
    or perhaps set up a callback.  A second async call would be made to
    retrieve the result.  Synchronous RPC calls would internally use a
    different call that would block on this ticket until a result was
    available.
[6] Depending on the type of client and where it takes its credentials from,
    this would either prevent unknown clients or unknown users accessing the
    CRM (at least until the ID store is hacked)
[7] After the ID store is decided on, we obviously then need to consider the
    security surrounding it also