Bug 1637263 (CVE-2018-1000805)

Summary: CVE-2018-1000805 python-paramiko: Authentication bypass in auth_handler.py
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: abhgupta, agrimm, ahardin, apevec, athmanem, bbuckingham, bcourt, bkearney, bleanhar, bmcclain, ccoleman, chrisw, cstratak, dajohnso, dbaker, dblechte, dedgar, dfediuck, dmetzger, dmoppert, eedri, eparis, gblomqui, gmccullo, gtanzill, gwync, igor.raits, ivazqueznet, jcammara, jforrest, jfrey, jgoulding, jhardy, jjoyce, jokerman, jprause, jschluet, jtanner, kbasil, kdixon, lhh, lpeer, markmc, mburns, mchappel, mgoldboi, mhradile, michal.skrivanek, mmccune, mrike, obarenbo, ohadlevy, orion, paul, pcahyna, python-maint, rbryant, rchan, rebus, rjerrido, roliveri, sbonazzo, sclewis, sgallagh, sherold, simaishi, sisharma, slinaber, ssaha, sthangav, tdecacqu, tkuratom, todd, torsava, trankin, vbellur, yozone, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-paramiko 2.4.2, python-paramiko 2.3.3, python-paramiko 2.2.4, python-paramiko 2.1.6, python-paramiko 2.0.9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:39:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1637264, 1637265, 1637266, 1637284, 1637285, 1637286, 1637287, 1637288, 1637289, 1637290, 1637291, 1637292, 1637361, 1637362, 1637363, 1637364, 1637365, 1637366, 1637367, 1637388, 1637390, 1638481, 1638842, 1639587    
Bug Blocks: 1637267    

Description Sam Fowler 2018-10-09 03:20:40 UTC 
Python Paramiko through versions 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5 and 1.17.6 is vulnerable to an authentication bypass in paramiko/auth_handler.py. A remote attacker could exploit this vulnerability in paramiko SSH servers to execute arbitrary code.


Upstream Issue:

https://github.com/paramiko/paramiko/issues/1283


Upstream Patch:

https://github.com/paramiko/paramiko/commit/56c96a65
Comment 1 Sam Fowler 2018-10-09 03:21:53 UTC 
Created python-paramiko tracking bugs for this issue:

Affects: epel-all [bug 1637265]
Affects: fedora-all [bug 1637264]
Affects: openstack-rdo [bug 1637266]
Comment 8 Joshua Padman 2018-10-11 03:25:08 UTC 
OpenStack consumes the version of paramiko provided by RHEL. However, as per the statement, OpenStack does not use the SSH server functionality of paramiko.
Comment 17 errata-xmlrpc 2018-10-30 09:17:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3347 https://access.redhat.com/errata/RHSA-2018:3347
Comment 18 errata-xmlrpc 2018-10-30 16:58:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 6.4 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support
  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:3406 https://access.redhat.com/errata/RHSA-2018:3406
Comment 19 Doran Moppert 2018-12-14 02:38:11 UTC 
This issue was addressed in Red Hat Virtualization in the following errata:

  https://access.redhat.com/errata/RHBA-2018:3497 (rhvm-appliance)
  https://access.redhat.com/errata/RHSA-2018:3470 (redhat-virtualization-host)
Comment 20 Borja Tarraso 2019-03-15 15:45:12 UTC 
Ansible consumes the version of paramiko provided by RHEL. However, as per the statement, Ansible does not use the SSH server functionality of paramiko.
Comment 22 Borja Tarraso 2020-01-23 09:10:08 UTC 
Statement:

This flaw is a user authentication bypass in the SSH Server functionality of paramiko (normally used by subclassing `paramiko.ServerInterface`). Where paramiko is used only for its client-side functionality (e.g. `paramiko.SSHClient`), the vulnerability is not exposed and thus cannot be exploited.

The following Red Hat products use paramiko only in client-side mode. Server side functionality is not used.

* Red Hat Ansible Engine 2
* Red Hat Ceph Storage 2
* Red Hat CloudForms 4
* Red Hat Enterprise Linux 7
* Red Hat Enterprise Virtualization
* Red Hat Gluster Storage 3
* Red Hat Openshift Container Platform
* Red Hat Quick Cloud Installer
* Red Hat Satellite 6
* Red Hat Storage Console 2
* Red Hat OpenStack Platform
* Red Hat Update Infrastructure