Bug 1557130 (CVE-2018-7750)

Summary: CVE-2018-7750 python-paramiko: Authentication bypass in transport.py
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: agrimm, ahardin, amoralej, apevec, apinnick, athmanem, bcourt, bkearney, bleanhar, bmcclain, btarraso, ccoleman, chrisw, cpelland, cstratak, dajohnso, dbaker, dblechte, dedgar, dmcphers, dmoppert, eedri, gblomqui, gmccullo, gtanzill, gwync, hhudgeon, ivazqueznet, jcammara, jfrey, jgoulding, jhardy, jjoyce, jkeck, jmatthew, jokerman, jprause, jschluet, jshepherd, kbasil, lhh, lpeer, markmc, mburns, mchappel, mgoldboi, michal.skrivanek, mmccune, mrike, obarenbo, ohadlevy, paul, pcahyna, psampaio, python-maint, rchan, rebus, roliveri, sclewis, security-response-team, sgallagh, sherold, simaishi, sisharma, slinaber, smallamp, ssaha, tcarlin, tdecacqu, tkuratom, torsava, tsanders, vbellur, yjog, yozone
Target Milestone: ---Keywords: Security
Target Release: ---Flags: yjog: needinfo-
Hardware: All   
OS: Linux   
Whiteboard: impact=critical,public=20180313,reported=20180316,source=cve,cvss3=9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-287,fedora-all/python-paramiko=affected,epel-all/python-paramiko=affected,rhel-6/python-paramiko=affected,rhel-7/python-paramiko=affected,rhel-8/python-paramiko=notaffected,ceph-2/python-paramiko=affected/impact=low,rhn_satellite_6/python-paramiko=affected/impact=low,rhscon-2/python-paramiko=wontfix/impact=low,rhev-m-4/python-paramiko=affected/impact=low,cfme-5/python-paramiko=affected/impact=low,openshift-enterprise-3/python-paramiko=affected/impact=low,openstack-7/python-paramiko=wontfix/impact=low,openstack-8/python-paramiko=wontfix/impact=low,openstack-9/python-paramiko=wontfix/impact=low,openstack-10/python-paramiko=wontfix/impact=low,openstack-11/python-paramiko=wontfix/impact=low,openstack-12/python-paramiko=wontfix/impact=low,openstack-13/python-paramiko=affected/impact=low,qci-1/python-paramiko=affected/impact=low,rhes-3/python-paramiko=affected/impact=low,openstack-rdo/python-paramiko=affected,ansible_engine-2/ansible=affected/impact=low,rhui-3/python-paramiko=affected/impact=low
Fixed In Version: python-paramiko 1.17.6, python-paramiko 1.18.5, python-paramiko 2.0.8, python-paramiko 2.1.5, python-paramiko 2.2.3, python-paramiko 2.3.2, python-paramiko 2.4.1 Doc Type: If docs needed, set a value
Doc Text:
It was found that when acting as an SSH server, paramiko did not properly check whether authentication is completed before processing other requests. A customized SSH client could use this to bypass authentication when accessing any resources controlled by paramiko.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:17:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1557568, 1557131, 1557132, 1557134, 1557135, 1557139, 1557140, 1557141, 1557142, 1557150, 1557564, 1557565, 1557566, 1557855, 1557856, 1558198, 1558199, 1561359, 1564049, 1564050, 1564051, 1564053, 1564374, 1564375, 1564376, 1564377, 1568093, 1568284, 1638846    
Bug Blocks: 1557133    

Description Sam Fowler 2018-03-16 04:42:33 UTC
A flaw was found in the implementation of transport.py in Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.


Upstream Issue:

https://github.com/paramiko/paramiko/issues/1175


Upstream Patch:

https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516

Comment 1 Sam Fowler 2018-03-16 04:43:39 UTC
Created python-paramiko tracking bugs for this issue:

Affects: fedora-all [bug 1557131]
Affects: epel-all [bug 1557132]

Comment 3 Sam Fowler 2018-03-16 05:00:06 UTC
Created python-paramiko tracking bugs for this issue:

Affects: openstack-rdo [bug 1557134]

Comment 26 errata-xmlrpc 2018-03-26 14:44:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2018:0591 https://access.redhat.com/errata/RHSA-2018:0591

Comment 35 errata-xmlrpc 2018-04-05 16:38:35 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2018:0646 https://access.redhat.com/errata/RHSA-2018:0646

Comment 36 Alfredo Moralejo 2018-04-05 17:53:28 UTC
With regards to openstack-rdo [bug 1557134], RDO uses packages in CentOS extras repo so we will get the fix for this CVE via extras repo update in CentOS. I'll keep updated bug 1557134.

Comment 42 errata-xmlrpc 2018-04-12 21:33:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support
  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:1125 https://access.redhat.com/errata/RHSA-2018:1125

Comment 43 errata-xmlrpc 2018-04-12 21:40:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1124 https://access.redhat.com/errata/RHSA-2018:1124

Comment 46 errata-xmlrpc 2018-04-24 09:04:09 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.4 for RHEL 7

Via RHSA-2018:1213 https://access.redhat.com/errata/RHSA-2018:1213

Comment 49 errata-xmlrpc 2018-05-02 13:10:15 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for RHEL-7
  Red Hat Virtualization Engine 4.1

Via RHSA-2018:1274 https://access.redhat.com/errata/RHSA-2018:1274

Comment 50 errata-xmlrpc 2018-05-07 20:42:22 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.9

Via RHSA-2018:1328 https://access.redhat.com/errata/RHSA-2018:1328

Comment 51 errata-xmlrpc 2018-05-15 18:59:41 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for RHEL-7

Via RHSA-2018:1525 https://access.redhat.com/errata/RHSA-2018:1525

Comment 52 errata-xmlrpc 2018-06-25 14:16:53 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.8

Via RHSA-2018:1972 https://access.redhat.com/errata/RHSA-2018:1972

Comment 54 Riccardo Schirone 2018-10-12 15:09:17 UTC
Statement:

This flaw is a user authentication bypass in the SSH Server functionality of paramiko (normally used by subclassing `paramiko.ServerInterface`). Where paramiko is used only for its client-side functionality (e.g. `paramiko.SSHClient`), the vulnerability is not exposed and thus cannot be exploited.

The following Red Hat products use paramiko only in client-side mode. Server side functionality is not used.

* Red Hat Ceph Storage 2
* Red Hat CloudForms 4
* Red Hat Enterprise Linux 7
* Red Hat Enterprise Virtualization
* Red Hat Gluster Storage 3
* Red Hat Openshift Container Platform
* Red Hat Quick Cloud Installer
* Red Hat Satellite 6
* Red Hat Storage Console 2
* Red Hat OpenStack Platform
* Red Hat Update Infrastructure