Bug 1575866 (CVE-2018-1128)

Summary: CVE-2018-1128 ceph: cephx protocol is vulnerable to replay attack
Product: [Other] Security Response Reporter: Siddharth Sharma <sisharma>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact: Aron Gunn <agunn>
Priority: medium    
Version: unspecifiedCC: agunn, branto, danmick, david, dbecker, fedora, gfidente, i, jdurgin, jjoyce, josef, jschluet, kdreyer, kkeithle, lhh, lpeer, mburns, mhicks, ramkrsna, sclewis, security-response-team, sisharma, slinaber, steve, sweil, tserlin, uboppana, yehuda
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ceph 10.2.11, ceph 12.2.6, ceph 13.2.1 Doc Type: If docs needed, set a value
Doc Text:
It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to the ceph cluster network who is also able to sniff packets on the network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-24 09:06:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2258831, 1576018, 1576019, 1576020, 1599404, 1599406, 1662076    
Bug Blocks: 1574281    

Description Siddharth Sharma 2018-05-08 06:35:16 UTC 
Service ticket issued using cephx to authenticate with a ceph service like Mon, OSD are vulnerable to replay attack. Ticket is sent with a nonce from client to service, service responds back to client with a mutation of nonce. This lets client verify that the service is what it says it is. Though this does not protect against a replay. If attacker is able to capture/sniff the exchange, attacker can replay the capture to authenticate with ceph service and perform actions only provided by the ceph service.

There are no known exploits against this, attacker has to be on the same network as of ceph cluster to be able to capture exchange.
Comment 6 Siddharth Sharma 2018-07-09 17:00:07 UTC 
upstream fix:

http://tracker.ceph.com/issues/24836
https://github.com/ceph/ceph/commit/5ead97120e07054d80623dada90a5cc764c28468
Comment 8 Siddharth Sharma 2018-07-09 17:08:37 UTC 
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1599406]
Comment 9 errata-xmlrpc 2018-07-11 18:10:53 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3.0 for Ubuntu 16.04

Via RHSA-2018:2177 https://access.redhat.com/errata/RHSA-2018:2177
Comment 10 errata-xmlrpc 2018-07-11 18:21:09 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3 for Red Hat Enterprise Linux 7

Via RHSA-2018:2179 https://access.redhat.com/errata/RHSA-2018:2179
Comment 13 errata-xmlrpc 2018-07-26 15:36:03 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 2.5 for Ubuntu 16.04.

Via RHSA-2018:2274 https://access.redhat.com/errata/RHSA-2018:2274
Comment 14 errata-xmlrpc 2018-07-26 18:06:27 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 2 for Red Hat Enterprise Linux 7

Via RHSA-2018:2261 https://access.redhat.com/errata/RHSA-2018:2261
Comment 16 Product Security DevOps Team 2019-07-24 09:06:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-1128
Comment 17 Summer Long 2020-11-11 02:43:26 UTC 
Statement:

Red Hat OpenStack Platform ships the flawed package, however RHOSP deployments use the ceph package directly from the Ceph channel.  A RHOSP ceph update will therefore not be provided at this time, but please ensure that the underlying Red Hat Ceph Storage is updated.
Comment 18 Tomas Hoger 2020-11-11 09:57:39 UTC 
Fixed upstream in versions: 10.2.11, 12.2.6, and 13.2.1

https://docs.ceph.com/en/latest/releases/jewel/#v10-2-11-jewel
https://docs.ceph.com/en/latest/releases/luminous/#v12-2-6-luminous
https://docs.ceph.com/en/latest/releases/mimic/#v13-2-1-mimic