Bug 2323276

Summary: CVE-2024-48916 ceph: Authentication bypass in CEPH RadosGW [ceph-7]
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Sage McTaggart <amctagga>
Component: SecurityAssignee: Sage McTaggart <amctagga>
Status: CLOSED DUPLICATE QA Contact: Vivek Das <vdas>
Severity: high Docs Contact:
Priority: high    
Version: 7.1CC: abhraj, amctagga, ceph-eng-bugs, cephqe-warriors, jcaratza, sostapov, vdas
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: 7.1z4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 2323274
: 2323277 (view as bug list) Environment:
Last Closed: 2025-04-17 14:44:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2323279    

Description Sage McTaggart 2024-11-01 21:04:44 UTC 
+++ This bug was initially created as a clone of Bug #2323274 +++

https://github.com/ceph/ceph/security/advisories/GHSA-5g9m-mmp6-93mq
Summary below: 
Description
Summary

It is possible to bypass the CEPH rados authentication gw by proving an JWT as demonstrated in the PoC. In this case Keycloak is used as IdP.

This was found during a penetration test. Please assign CVE and credit me as finding this vulnerability. Do not mention the customer/organisation in public reports etc.

Details has also been provided to security before. As always, please fix this within 90 days as we plan to go public.
Details

It is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked.

The vulnerability is probably in the RadosGW OIDC provider.
PoC

The HTTP request can be found below. But without the JWT:

POST / HTTP/2
Host: storage.xxx.se
User-Agent: aws-sdk-go-v2/1.18.0 os/macos lang/go/1.21.1 X:nocoverageredesign md/GOOS/darwin md/GOARCH/arm64 api/sts/1.19.0
Content-Type: application/x-www-form-urlencoded
Amz-Sdk-Invocation-Id: 30a74697-7d7e-4c02-b041-97d68156ee78
Amz-Sdk-Request: attempt=1; max=3
Content-Length: 1508
Accept-Encoding: gzip, deflate, br

Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&RoleArn=arn%3Aaws%3Aiam%3A%3Aorg_pentest002%3Arole%2Fu-pentest002STS&RoleSessionName=test&Version=2011-06-15&WebIdentityToken=ey..

Impact

This was found during a penetration test. Please assign CVE and credit me as finding this vulnerability. We can also request CVE from Mitre.