Bug 1916045 (CVE-2021-3139)

Summary: CVE-2021-3139 tcmu-runner: SCSI target (LIO) write to any block on ILO backstore
Product: [Other] Security Response Reporter: Sage McTaggart <amctagga>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amarts, amctagga, andy, anharris, bniver, flucifre, gmeno, hvyas, mbenjamin, mhackett, mlombard, prasanna.kalever, puebele, rhs-bugs, sabose, sajmoham, sostapov, vereddy, xiubli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s implementation of the Linux SCSI target host, where an authenticated attacker could write to any block on the exported SCSI device backing store. This flaw allows an authenticated attacker to send LIO block requests to the Linux system to overwrite data on the backing store. The highest threat from this vulnerability is to integrity. In addition, this flaw affects the tcmu-runner package, where the affected SCSI command is called.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-28 22:46:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1915549, 1915550, 1915787    
Bug Blocks: 1897690    

Description Sage McTaggart 2021-01-14 02:11:39 UTC 
A flaw was found in the Linux kernels implementation of Linux SCSI target host where an authenticated attacker to write to any block on the exported scsi device backing store. tcmu-runner calls the affected xcopy command in SCSI, which lacks a check for transport-layer restrictions, allowing remote modification of files via directory traversal.
Comment 4 Sage McTaggart 2021-01-14 02:18:36 UTC 
Created tcmu-runner tracking bugs for this issue:

Affects: fedora-all [bug 1915787]
Comment 6 RaTasha Tillery-Smith 2021-01-15 20:15:54 UTC 
Statement:

This issue did not affect the version of tcmu-runner as shipped with Red Hat Gluster Storage 3, as it did not include support for Extended Copy (XCOPY). 

Red Hat Ceph Storage 3 and 4 are affected, as they ship an affected version of tcmu-runner with XCOPY.

Red Hat OpenShift Container Storage (RHOCS) 4 shipped tcmu-runner package for the usage of RHOCS 4.2 only, that has reached End Of Life. The shipped version of tcmu-runner package is no longer used and supported with the release of RHOCS 4.3.
Comment 7 RaTasha Tillery-Smith 2021-01-15 20:15:55 UTC 
External References:

https://nvd.nist.gov/vuln/detail/CVE-2021-3139
Comment 8 RaTasha Tillery-Smith 2021-01-15 20:15:57 UTC 
Mitigation:

As this feature can be guarded behind an authentication and firewall rules, limit access with firewall rules and enforcing strong password hygiene.  This may not be a suitable option if many uncontrolled hosts mount the networked iSCSI device.
Comment 9 Sage McTaggart 2021-02-09 19:38:07 UTC 
Modified to accept NVD CVSS upon rescore.
Comment 10 errata-xmlrpc 2021-04-28 20:12:28 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.2

Via RHSA-2021:1452 https://access.redhat.com/errata/RHSA-2021:1452
Comment 11 Product Security DevOps Team 2021-04-28 22:46:40 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3139
Comment 12 errata-xmlrpc 2021-05-06 18:32:05 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3 - ELS

Via RHSA-2021:1518 https://access.redhat.com/errata/RHSA-2021:1518