Bug 2258831

Summary: CVE-2018-1128 ceph: cephx protocol is vulnerable to replay attack
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Sage McTaggart <amctagga>
Component: SecurityAssignee: Sage McTaggart <amctagga>
Status: RELEASE_PENDING --- QA Contact: Vivek Das <vdas>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.1CC: agunn, amctagga, branto, ceph-eng-bugs, cephqe-warriors, danmick, david, dbecker, fedora, gfidente, i, jdurgin, jjoyce, josef, jschluet, kdreyer, kkeithle, lhh, lpeer, mburns, mhicks, ramkrsna, sclewis, security-response-team, sisharma, slinaber, sostapov, steve, sweil, tserlin, uboppana, yehuda
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: 7.1z4   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1575866    

Description Sage McTaggart 2024-01-17 16:10:13 UTC 
+++ This bug was initially created as a clone of Bug #1575866 +++

Service ticket issued using cephx to authenticate with a ceph service like Mon, OSD are vulnerable to replay attack. Ticket is sent with a nonce from client to service, service responds back to client with a mutation of nonce. This lets client verify that the service is what it says it is. Though this does not protect against a replay. If attacker is able to capture/sniff the exchange, attacker can replay the capture to authenticate with ceph service and perform actions only provided by the ceph service.

There are no known exploits against this, attacker has to be on the same network as of ceph cluster to be able to capture exchange.

--- Additional comment from Siddharth Sharma on 2018-05-08 06:58:26 UTC ---

New CVE requested.

--- Additional comment from Siddharth Sharma on 2018-05-08 14:53:28 UTC ---

Created ceph tracking bugs for this issue:

Affects: ceph-1.3 [bug 1576018]

--- Additional comment from Siddharth Sharma on 2018-05-08 14:53:33 UTC ---

THIS COMMENT WAS REMOVED which however causes issues while migrating the vulnerability data to the new Product Security database so I am adding a comment placeholder instead.

--- Additional comment from Siddharth Sharma on 2018-05-08 14:55:02 UTC ---

Created ceph tracking bugs for this issue:

Affects: ceph-2 [bug 1576019]
Affects: ceph-3 [bug 1576020]

--- Additional comment from Siddharth Sharma on 2018-05-08 14:55:07 UTC ---

THIS COMMENT WAS REMOVED which however causes issues while migrating the vulnerability data to the new Product Security database so I am adding a comment placeholder instead.

--- Additional comment from Siddharth Sharma on 2018-07-09 17:00:07 UTC ---

upstream fix:

http://tracker.ceph.com/issues/24836
https://github.com/ceph/ceph/commit/5ead97120e07054d80623dada90a5cc764c28468

--- Additional comment from Siddharth Sharma on 2018-07-09 17:05:29 UTC ---

Created ceph tracking bugs for this issue:

Affects: rhel-8 [bug 1599404]

--- Additional comment from Siddharth Sharma on 2018-07-09 17:08:37 UTC ---

Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1599406]

--- Additional comment from errata-xmlrpc on 2018-07-11 18:10:53 UTC ---

This issue has been addressed in the following products:

  Red Hat Ceph Storage 3.0 for Ubuntu 16.04

Via RHSA-2018:2177 https://access.redhat.com/errata/RHSA-2018:2177

--- Additional comment from errata-xmlrpc on 2018-07-11 18:21:09 UTC ---

This issue has been addressed in the following products:

  Red Hat Ceph Storage 3 for Red Hat Enterprise Linux 7

Via RHSA-2018:2179 https://access.redhat.com/errata/RHSA-2018:2179

--- Additional comment from errata-xmlrpc on 2018-07-13 11:11:02 UTC ---

This bug has been dropped from advisory RHSA-2018:34373 by Siddharth Sharma (sisharma)

--- Additional comment from errata-xmlrpc on 2018-07-13 11:12:18 UTC ---

This bug has been dropped from advisory RHSA-2018:34374 by Siddharth Sharma (sisharma)

--- Additional comment from errata-xmlrpc on 2018-07-26 15:36:03 UTC ---

This issue has been addressed in the following products:

  Red Hat Ceph Storage 2.5 for Ubuntu 16.04.

Via RHSA-2018:2274 https://access.redhat.com/errata/RHSA-2018:2274

--- Additional comment from errata-xmlrpc on 2018-07-26 18:06:27 UTC ---

This issue has been addressed in the following products:

  Red Hat Ceph Storage 2 for Red Hat Enterprise Linux 7

Via RHSA-2018:2261 https://access.redhat.com/errata/RHSA-2018:2261

--- Additional comment from Siddharth Sharma on 2018-12-26 03:49:18 UTC ---

Created ceph-common tracking bugs for this issue:

Affects: rhel-7 [bug 1662076]

--- Additional comment from Product Security DevOps Team on 2019-07-24 09:06:55 UTC ---

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-1128

--- Additional comment from Summer Long on 2020-11-11 02:43:26 UTC ---

Statement:

Red Hat OpenStack Platform ships the flawed package, however RHOSP deployments use the ceph package directly from the Ceph channel.  A RHOSP ceph update will therefore not be provided at this time, but please ensure that the underlying Red Hat Ceph Storage is updated.

--- Additional comment from Tomas Hoger on 2020-11-11 09:57:39 UTC ---

Fixed upstream in versions: 10.2.11, 12.2.6, and 13.2.1

https://docs.ceph.com/en/latest/releases/jewel/#v10-2-11-jewel
https://docs.ceph.com/en/latest/releases/luminous/#v12-2-6-luminous
https://docs.ceph.com/en/latest/releases/mimic/#v13-2-1-mimic