Bug 1900109 (CVE-2020-27781) - CVE-2020-27781 ceph: User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila
Summary: CVE-2020-27781 ceph: User credentials can be manipulated and stolen by Native...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-27781
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1907531 1907532 1908864 1910485
Blocks: 1899271
TreeView+ depends on / blocked
 
Reported: 2020-11-20 20:23 UTC by Sage McTaggart
Modified: 2022-05-19 11:39 UTC (History)
45 users (show)

Fixed In Version: Ceph 15.2.8, Ceph 14.2.16
Doc Type: If docs needed, set a value
Doc Text:
User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even "admin" users, compromising the ceph administrator.
Clone Of:
Environment:
Last Closed: 2021-01-12 18:27:52 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1904015 0 None None None 2020-12-17 18:23:21 UTC
Red Hat Product Errata RHBA-2021:0179 0 None None None 2021-01-18 15:49:06 UTC
Red Hat Product Errata RHSA-2021:0081 0 None None None 2021-01-12 14:55:55 UTC

Description Sage McTaggart 2020-11-20 20:23:52 UTC 
User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila. An OpenStack Manila user can request access to a share to any arbitrary cephx user, including privileged pre-existing users and the interface drivers will retrieve the access key of that user along with providing access to the share. This is then visible to all users of the OpenStack project that owns the share.
Comment 5 Sage McTaggart 2020-12-15 21:13:26 UTC 
Acknowledgments:

Name: Goutham Pacha Ravi (Red Hat), Jahson Babel (Centre de Calcul de l'IN2P3), John Garbutt (StackHPC)
Comment 6 Sage McTaggart 2020-12-17 18:11:47 UTC 
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1908864]
Comment 9 Sage McTaggart 2020-12-17 18:39:26 UTC 
https://github.com/ceph/ceph/commit/1b8a634fdcd94dfb3ba650793fb1b6d09af65e05
https://github.com/ceph/ceph/commit/7e3e4e73783a98bb07ab399438eb3aab41a6fc8b

Patches may be found here
Comment 11 Doran Moppert 2020-12-18 02:37:59 UTC 
Statement:

Red Hat OpenStack Platform deployments use the ceph package directly from the Ceph channel; the RHOSP package will not be updated at this time.

Red Hat OpenShift Container Storage (RHOCS) 4 shipped ceph package for the usage of RHOCS 4.2 only, that has reached End Of Life. The shipped version of ceph package is no longer used and supported with the release of RHOCS 4.3.

Red Hat Enterprise Linux ceph packages do not include the vulnerable component.
Comment 13 errata-xmlrpc 2021-01-12 14:55:54 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.2

Via RHSA-2021:0081 https://access.redhat.com/errata/RHSA-2021:0081
Comment 14 Product Security DevOps Team 2021-01-12 18:27:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27781
Comment 15 errata-xmlrpc 2021-05-06 18:32:03 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3 - ELS

Via RHSA-2021:1518 https://access.redhat.com/errata/RHSA-2021:1518
Note You need to log in before you can comment on or make changes to this bug.