Bug 1637263 – CVE-2018-1000805 python-paramiko: Authentication bypass in auth_handler.py

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1637263 - (CVE-2018-1000805) CVE-2018-1000805 python-paramiko: Authentication bypass in auth_handler.py

Summary:	CVE-2018-1000805 python-paramiko: Authentication bypass in auth_handler.py

Status:	NEW

Aliases:	CVE-2018-1000805

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	urgent Severity urgent
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=critical,public=20180907,repor...
Keywords:	Security

Depends On:	1637265 1637266 1637283 1637284 1637367 1637388 1637390 1638842 1639587 1637264 1637285 1637286 1637287 1637288 1637289 1637290 1637291 1637292 1637361 1637362 1637363 1637364 1637365 1637366 1638481
Blocks:	1637267
	Show dependency tree / graph

Reported:	2018-10-08 23:20 EDT by Sam Fowler
Modified:	2018-10-30 12:59 EDT (History)
CC List:	81 users (show)

See Also:
Fixed In Version:	python-paramiko 2.4.2, python-paramiko 2.3.3, python-paramiko 2.2.4, python-paramiko 2.1.6, python-paramiko 2.0.9
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:3347	None	None	None	2018-10-30 05:18 EDT
Red Hat Product Errata	RHSA-2018:3406	None	None	None	2018-10-30 12:59 EDT

Groups: None (edit)

Description Sam Fowler 2018-10-08 23:20:40 EDT

Python Paramiko through versions 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5 and 1.17.6 is vulnerable to an authentication bypass in paramiko/auth_handler.py. A remote attacker could exploit this vulnerability in paramiko SSH servers to execute arbitrary code.


Upstream Issue:

https://github.com/paramiko/paramiko/issues/1283


Upstream Patch:

https://github.com/paramiko/paramiko/commit/56c96a65

Comment 1 Sam Fowler 2018-10-08 23:21:53 EDT

Created python-paramiko tracking bugs for this issue:

Affects: epel-all [bug 1637265]
Affects: fedora-all [bug 1637264]
Affects: openstack-rdo [bug 1637266]

Comment 8 Joshua Padman 2018-10-10 23:25:08 EDT

OpenStack consumes the version of paramiko provided by RHEL. However, as per the statement, OpenStack does not use the SSH server functionality of paramiko.

Comment 10 Riccardo Schirone 2018-10-12 10:46:02 EDT

Statement:

This flaw is a user authentication bypass in the SSH Server functionality of paramiko (normally used by subclassing `paramiko.ServerInterface`). Where paramiko is used only for its client-side functionality (e.g. `paramiko.SSHClient`), the vulnerability is not exposed and thus cannot be exploited.

The following Red Hat products use paramiko only in client-side mode. Server side functionality is not used.

* Red Hat Ceph Storage 2
* Red Hat CloudForms 4
* Red Hat Enterprise Linux 7
* Red Hat Enterprise Virtualization
* Red Hat Gluster Storage 3
* Red Hat Openshift Container Platform
* Red Hat Quick Cloud Installer
* Red Hat Satellite 6
* Red Hat Storage Console 2
* Red Hat OpenStack Platform
* Red Hat Update Infrastructure

Comment 17 errata-xmlrpc 2018-10-30 05:17:43 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3347 https://access.redhat.com/errata/RHSA-2018:3347

Comment 18 errata-xmlrpc 2018-10-30 12:58:38 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 6.4 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support
  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:3406 https://access.redhat.com/errata/RHSA-2018:3406

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
agrimm
ahardin
apevec
athmanem
bbuckingham
bcourt
bkearney
bleanhar
bmcclain
ccoleman
chrisw
cstratak
dajohnso
dbaker
dblechte
dclarizi
dedgar
dfediuck
dmetzger
eedri
eparis
gblomqui
gklein
gmccullo
gtanzill
i.gnatenko.brain
ivazqueznet
jcammara
jforrest
jfrey
jgoulding
jhardy
jjoyce
jokerman
jprause
jschluet
kbasil
kdixon
lhh
limburgher
lpeer
markmc
mburns
mchappel
mgoldboi
mhradile
michal.skrivanek
mmccune
mrike
obarenbo
ohadlevy
orion
paul
pcahyna
python-maint
ratamir
rbryant
rchan
rebus
rjerrido
roliveri
sbonazzo
sclewis
sgallagh
sherold
simaishi
sisharma
slinaber
smohan
ssaha
sthangav
tdecacqu
tjay
tkuratom
todd
torsava
trankin
vbellur
ylavi
yturgema