Bug 1900109 (CVE-2020-27781)

Summary: CVE-2020-27781 ceph: User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila
Product: [Other] Security Response Reporter: Sage McTaggart <amctagga>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adeza, amctagga, anharris, bniver, branto, danmick, david, dbecker, fedora, flucifre, gcharot, gfidente, gmeno, gouthamr, hvyas, i, jdurgin, jjoyce, josef, jschluet, kdreyer, khiremat, kkeithle, lhh, loic, lpeer, madam, mbenjamin, mburns, mhackett, mhicks, ocs-bugs, pdonnell, pgrist, ramkrsna, rraja, sclewis, security-response-team, slinaber, sostapov, steve, tbarron, tserlin, vereddy, vimartin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Ceph 15.2.8, Ceph 14.2.16 Doc Type: If docs needed, set a value
Doc Text:
User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even "admin" users, compromising the ceph administrator.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-12 18:27:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1907531, 1907532, 1908864, 1910485    
Bug Blocks: 1899271    

Description Sage McTaggart 2020-11-20 20:23:52 UTC 
User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila. An OpenStack Manila user can request access to a share to any arbitrary cephx user, including privileged pre-existing users and the interface drivers will retrieve the access key of that user along with providing access to the share. This is then visible to all users of the OpenStack project that owns the share.
Comment 5 Sage McTaggart 2020-12-15 21:13:26 UTC 
Acknowledgments:

Name: Goutham Pacha Ravi (Red Hat), Jahson Babel (Centre de Calcul de l'IN2P3), John Garbutt (StackHPC)
Comment 6 Sage McTaggart 2020-12-17 18:11:47 UTC 
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1908864]
Comment 9 Sage McTaggart 2020-12-17 18:39:26 UTC 
https://github.com/ceph/ceph/commit/1b8a634fdcd94dfb3ba650793fb1b6d09af65e05
https://github.com/ceph/ceph/commit/7e3e4e73783a98bb07ab399438eb3aab41a6fc8b

Patches may be found here
Comment 11 Doran Moppert 2020-12-18 02:37:59 UTC 
Statement:

Red Hat OpenStack Platform deployments use the ceph package directly from the Ceph channel; the RHOSP package will not be updated at this time.

Red Hat OpenShift Container Storage (RHOCS) 4 shipped ceph package for the usage of RHOCS 4.2 only, that has reached End Of Life. The shipped version of ceph package is no longer used and supported with the release of RHOCS 4.3.

Red Hat Enterprise Linux ceph packages do not include the vulnerable component.
Comment 13 errata-xmlrpc 2021-01-12 14:55:54 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.2

Via RHSA-2021:0081 https://access.redhat.com/errata/RHSA-2021:0081
Comment 14 Product Security DevOps Team 2021-01-12 18:27:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27781
Comment 15 errata-xmlrpc 2021-05-06 18:32:03 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3 - ELS

Via RHSA-2021:1518 https://access.redhat.com/errata/RHSA-2021:1518