Bug 1890354 (CVE-2020-25660) - CVE-2020-25660 ceph: CEPHX_V2 replay attack protection lost
Summary: CVE-2020-25660 ceph: CEPHX_V2 replay attack protection lost
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25660
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1892823 1898551 1899327 1910513
Blocks: 1889858
TreeView+ depends on / blocked
 
Reported: 2020-10-22 00:34 UTC by Sage McTaggart
Modified: 2023-09-05 12:18 UTC (History)
31 users (show)

Fixed In Version: ceph 15.2.6, ceph 14.2.14
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Cephx authentication protocol, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph service via a packet sniffer and perform actions allowed by the Ceph service. This issue is a reintroduction of CVE-2018-1128, affecting the msgr2 protocol. The msgr 2 protocol is used for all communication except older clients that do not support the msgr2 protocol. The msgr1 protocol is not affected. The highest threat from this vulnerability is to confidentiality, integrity, and system availability.
Clone Of:
Environment:
Last Closed: 2020-12-02 17:33:53 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:0179 0 None None None 2021-01-18 15:49:05 UTC
Red Hat Product Errata RHSA-2020:5325 0 None None None 2020-12-02 15:22:35 UTC
Red Hat Product Errata RHSA-2021:0081 0 None None None 2021-01-12 14:55:49 UTC

Description Sage McTaggart 2020-10-22 00:34:53 UTC
Ceph octopus lost CEPHX_V2 replay attack, and this was backported to nautilus in v14.2.5.This is very similar to a prior CVE, but we are requesting a new CVE because it only affects nautilus and later.

This flaw is very similar to CVE-2018-1128:
It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service.

Comment 5 Sage McTaggart 2020-10-29 18:09:35 UTC
https://github.com/ceph/ceph/pull/30524
https://github.com/ceph/ceph/pull/30523

These are the commits where the flaw was introduced.

Comment 8 Sage McTaggart 2020-10-29 19:04:16 UTC
Acknowledgments:

Name: Ilya Dryomov (Red Hat)

Comment 18 Sage McTaggart 2020-11-16 22:00:32 UTC
Statement:

Red Hat Ceph Storage 3 has already had a fix shipped for this particular flaw.  RHCS 4.1 is shipped with CVE-2018-1128 vulnerability reintroduced, affecting msgr 2 protocol.

Red Hat OpenShift Container Storage (RHOCS) 4 shipped ceph package for the usage of RHOCS 4.2 only, that has reached End Of Life. Hence, ceph package is no longer used and supported with the release of RHOCS 4.3.

Comment 20 Sage McTaggart 2020-11-17 14:06:12 UTC
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1898551]

Comment 26 errata-xmlrpc 2020-12-02 15:22:32 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.1

Via RHSA-2020:5325 https://access.redhat.com/errata/RHSA-2020:5325

Comment 27 Product Security DevOps Team 2020-12-02 17:33:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25660

Comment 28 Fedora Update System 2020-12-10 01:14:17 UTC
FEDORA-2020-a8f1120195 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 29 errata-xmlrpc 2021-01-12 14:55:49 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.2

Via RHSA-2021:0081 https://access.redhat.com/errata/RHSA-2021:0081


Note You need to log in before you can comment on or make changes to this bug.