Bug 2258831 - CVE-2018-1128 ceph: cephx protocol is vulnerable to replay attack
Summary: CVE-2018-1128 ceph: cephx protocol is vulnerable to replay attack
Keywords:
Status: RELEASE_PENDING
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: Security
Version: 7.1
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
: 7.1z4
Assignee: Sage McTaggart
QA Contact: Vivek Das
URL:
Whiteboard:
Depends On:
Blocks: CVE-2018-1128
TreeView+ depends on / blocked
 
Reported: 2024-01-17 16:10 UTC by Sage McTaggart
Modified: 2025-02-24 19:21 UTC (History)
32 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHCEPH-8180 0 None None None 2024-01-17 16:12:30 UTC

Description Sage McTaggart 2024-01-17 16:10:13 UTC 
+++ This bug was initially created as a clone of Bug #1575866 +++

Service ticket issued using cephx to authenticate with a ceph service like Mon, OSD are vulnerable to replay attack. Ticket is sent with a nonce from client to service, service responds back to client with a mutation of nonce. This lets client verify that the service is what it says it is. Though this does not protect against a replay. If attacker is able to capture/sniff the exchange, attacker can replay the capture to authenticate with ceph service and perform actions only provided by the ceph service.

There are no known exploits against this, attacker has to be on the same network as of ceph cluster to be able to capture exchange.

--- Additional comment from Siddharth Sharma on 2018-05-08 06:58:26 UTC ---

New CVE requested.

--- Additional comment from Siddharth Sharma on 2018-05-08 14:53:28 UTC ---

Created ceph tracking bugs for this issue:

Affects: ceph-1.3 [bug 1576018]

--- Additional comment from Siddharth Sharma on 2018-05-08 14:53:33 UTC ---

THIS COMMENT WAS REMOVED which however causes issues while migrating the vulnerability data to the new Product Security database so I am adding a comment placeholder instead.

--- Additional comment from Siddharth Sharma on 2018-05-08 14:55:02 UTC ---

Created ceph tracking bugs for this issue:

Affects: ceph-2 [bug 1576019]
Affects: ceph-3 [bug 1576020]

--- Additional comment from Siddharth Sharma on 2018-05-08 14:55:07 UTC ---

THIS COMMENT WAS REMOVED which however causes issues while migrating the vulnerability data to the new Product Security database so I am adding a comment placeholder instead.

--- Additional comment from Siddharth Sharma on 2018-07-09 17:00:07 UTC ---

upstream fix:

http://tracker.ceph.com/issues/24836
https://github.com/ceph/ceph/commit/5ead97120e07054d80623dada90a5cc764c28468

--- Additional comment from Siddharth Sharma on 2018-07-09 17:05:29 UTC ---

Created ceph tracking bugs for this issue:

Affects: rhel-8 [bug 1599404]

--- Additional comment from Siddharth Sharma on 2018-07-09 17:08:37 UTC ---

Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1599406]

--- Additional comment from errata-xmlrpc on 2018-07-11 18:10:53 UTC ---

This issue has been addressed in the following products:

  Red Hat Ceph Storage 3.0 for Ubuntu 16.04

Via RHSA-2018:2177 https://access.redhat.com/errata/RHSA-2018:2177

--- Additional comment from errata-xmlrpc on 2018-07-11 18:21:09 UTC ---

This issue has been addressed in the following products:

  Red Hat Ceph Storage 3 for Red Hat Enterprise Linux 7

Via RHSA-2018:2179 https://access.redhat.com/errata/RHSA-2018:2179

--- Additional comment from errata-xmlrpc on 2018-07-13 11:11:02 UTC ---

This bug has been dropped from advisory RHSA-2018:34373 by Siddharth Sharma (sisharma)

--- Additional comment from errata-xmlrpc on 2018-07-13 11:12:18 UTC ---

This bug has been dropped from advisory RHSA-2018:34374 by Siddharth Sharma (sisharma)

--- Additional comment from errata-xmlrpc on 2018-07-26 15:36:03 UTC ---

This issue has been addressed in the following products:

  Red Hat Ceph Storage 2.5 for Ubuntu 16.04.

Via RHSA-2018:2274 https://access.redhat.com/errata/RHSA-2018:2274

--- Additional comment from errata-xmlrpc on 2018-07-26 18:06:27 UTC ---

This issue has been addressed in the following products:

  Red Hat Ceph Storage 2 for Red Hat Enterprise Linux 7

Via RHSA-2018:2261 https://access.redhat.com/errata/RHSA-2018:2261

--- Additional comment from Siddharth Sharma on 2018-12-26 03:49:18 UTC ---

Created ceph-common tracking bugs for this issue:

Affects: rhel-7 [bug 1662076]

--- Additional comment from Product Security DevOps Team on 2019-07-24 09:06:55 UTC ---

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-1128

--- Additional comment from Summer Long on 2020-11-11 02:43:26 UTC ---

Statement:

Red Hat OpenStack Platform ships the flawed package, however RHOSP deployments use the ceph package directly from the Ceph channel.  A RHOSP ceph update will therefore not be provided at this time, but please ensure that the underlying Red Hat Ceph Storage is updated.

--- Additional comment from Tomas Hoger on 2020-11-11 09:57:39 UTC ---

Fixed upstream in versions: 10.2.11, 12.2.6, and 13.2.1

https://docs.ceph.com/en/latest/releases/jewel/#v10-2-11-jewel
https://docs.ceph.com/en/latest/releases/luminous/#v12-2-6-luminous
https://docs.ceph.com/en/latest/releases/mimic/#v13-2-1-mimic
Note You need to log in before you can comment on or make changes to this bug.