Bug 1575866 (CVE-2018-1128) - CVE-2018-1128 ceph: cephx protocol is vulnerable to replay attack
Summary: CVE-2018-1128 ceph: cephx protocol is vulnerable to replay attack
Status: CLOSED ERRATA
Alias: CVE-2018-1128
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Aron Gunn
URL:
Whiteboard: impact=moderate,public=20180709:1200,...
Keywords: Reopened, Security
Depends On: 1662076 1576018 1576019 1576020 1599404 1599406
Blocks: 1574281
TreeView+ depends on / blocked
 
Reported: 2018-05-08 06:35 UTC by Siddharth Sharma
Modified: 2019-06-11 11:13 UTC (History)
17 users (show)

(edit)
It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to the ceph cluster network who is also able to sniff packets on the network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service.
Clone Of:
(edit)
Last Closed: 2019-06-10 10:21:33 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2177 None None None 2018-07-11 18:11 UTC
Red Hat Product Errata RHSA-2018:2179 None None None 2018-07-11 18:21 UTC
Red Hat Product Errata RHSA-2018:2261 None None None 2018-07-26 18:06 UTC
Red Hat Product Errata RHSA-2018:2274 None None None 2018-07-26 15:36 UTC

Description Siddharth Sharma 2018-05-08 06:35:16 UTC
Service ticket issued using cephx to authenticate with a ceph service like Mon, OSD are vulnerable to replay attack. Ticket is sent with a nonce from client to service, service responds back to client with a mutation of nonce. This lets client verify that the service is what it says it is. Though this does not protect against a replay. If attacker is able to capture/sniff the exchange, attacker can replay the capture to authenticate with ceph service and perform actions only provided by the ceph service.

There are no known exploits against this, attacker has to be on the same network as of ceph cluster to be able to capture exchange.

Comment 8 Siddharth Sharma 2018-07-09 17:08:37 UTC
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1599406]

Comment 9 errata-xmlrpc 2018-07-11 18:10:53 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3.0 for Ubuntu 16.04

Via RHSA-2018:2177 https://access.redhat.com/errata/RHSA-2018:2177

Comment 10 errata-xmlrpc 2018-07-11 18:21:09 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3 for Red Hat Enterprise Linux 7

Via RHSA-2018:2179 https://access.redhat.com/errata/RHSA-2018:2179

Comment 13 errata-xmlrpc 2018-07-26 15:36:03 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 2.5 for Ubuntu 16.04.

Via RHSA-2018:2274 https://access.redhat.com/errata/RHSA-2018:2274

Comment 14 errata-xmlrpc 2018-07-26 18:06:27 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 2 for Red Hat Enterprise Linux 7

Via RHSA-2018:2261 https://access.redhat.com/errata/RHSA-2018:2261


Note You need to log in before you can comment on or make changes to this bug.