Bug 1938031 (CVE-2021-20288) - CVE-2021-20288 ceph: Unauthorized global_id reuse in cephx
Summary: CVE-2021-20288 ceph: Unauthorized global_id reuse in cephx
Keywords:
Status: NEW
Alias: CVE-2021-20288
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1939093 1940955 1952206 1939092 1952085
Blocks: 1934783
TreeView+ depends on / blocked
 
Reported: 2021-03-11 23:48 UTC by amctagga
Modified: 2021-04-22 22:21 UTC (History)
36 users (show)

Fixed In Version: ceph 14.2.20
Doc Type: If docs needed, set a value
Doc Text:
An authentication flaw was found in ceph. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description amctagga 2021-03-11 23:48:02 UTC
The reuse of old keys to generate new ones, in conjunction with the ability for a user to request any global id, presents an opportunity for an attacker to request a previously valid global id without the corresponding prior key.

Comment 5 amctagga 2021-03-15 19:30:20 UTC
Acknowledgments:

Name: Ilya Dryomov (Red Hat)

Comment 8 Tomas Hoger 2021-03-19 15:59:23 UTC
Statement:

* Red Hat OpenShift Container Storage (RHOCS) 4 shipped ceph package for the usage of RHOCS 4.2 only, that has reached End Of Life. The shipped version of ceph package is no longer used and supported with the release of RHOCS 4.3.

* Red Hat OpenStack Platform deployments use the ceph package directly from the Ceph channel; the RHOSP ceph package will not be updated at this time.

* The ceph packages included in Red Hat Enterprise Linux only provide client side libraries and tools and therefore are not affected by this issue affecting ceph-mon service.

Comment 10 amctagga 2021-04-14 17:23:13 UTC
Upstream patches: 
https://github.com/ceph/ceph/commits/nautilus (commits on top of 14.2.19)
https://github.com/ceph/ceph/commits/octopus (commits on top of 15.2.10)
https://github.com/ceph/ceph/commits/pacific (commits on top of 16.2.0)

Comment 11 Ilya Dryomov 2021-04-14 18:41:45 UTC
Merged into master:

https://github.com/ceph/ceph/commit/f3a4166379b12d4a7bba667fe761e5b660552db1

Comment 13 amctagga 2021-04-21 13:17:14 UTC
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1952085]


Note You need to log in before you can comment on or make changes to this bug.