1637263 – (CVE-2018-1000805) CVE-2018-1000805 python-paramiko: Authentication bypass in auth_handler.py

Bug 1637263 (CVE-2018-1000805) - CVE-2018-1000805 python-paramiko: Authentication bypass in auth_handler.py

Summary: CVE-2018-1000805 python-paramiko: Authentication bypass in auth_handler.py

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-1000805
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1637264 1637265 1637266 1637284 1637285 1637286 1637287 1637288 1637289 1637290 1637291 1637292 1637361 1637362 1637363 1637364 1637365 1637366 1637367 1637388 1637390 1638481 1638842 1639587
Blocks:	1637267
TreeView+	depends on / blocked

Reported:	2018-10-09 03:20 UTC by Sam Fowler
Modified:	2021-12-10 17:50 UTC (History)
CC List:	78 users (show)
Fixed In Version:	python-paramiko 2.4.2, python-paramiko 2.3.3, python-paramiko 2.2.4, python-paramiko 2.1.6, python-paramiko 2.0.9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-10 10:39:32 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:3347	0	None	None	None	2018-10-30 09:18:11 UTC
Red Hat Product Errata	RHSA-2018:3406	0	None	None	None	2018-10-30 16:59:06 UTC

Internal Links: 1645539

Description Sam Fowler 2018-10-09 03:20:40 UTC

Python Paramiko through versions 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5 and 1.17.6 is vulnerable to an authentication bypass in paramiko/auth_handler.py. A remote attacker could exploit this vulnerability in paramiko SSH servers to execute arbitrary code.


Upstream Issue:

https://github.com/paramiko/paramiko/issues/1283


Upstream Patch:

https://github.com/paramiko/paramiko/commit/56c96a65

Comment 1 Sam Fowler 2018-10-09 03:21:53 UTC

Created python-paramiko tracking bugs for this issue:

Affects: epel-all [bug 1637265]
Affects: fedora-all [bug 1637264]
Affects: openstack-rdo [bug 1637266]

Comment 8 Joshua Padman 2018-10-11 03:25:08 UTC

OpenStack consumes the version of paramiko provided by RHEL. However, as per the statement, OpenStack does not use the SSH server functionality of paramiko.

Comment 17 errata-xmlrpc 2018-10-30 09:17:43 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3347 https://access.redhat.com/errata/RHSA-2018:3347

Comment 18 errata-xmlrpc 2018-10-30 16:58:38 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 6.4 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support
  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:3406 https://access.redhat.com/errata/RHSA-2018:3406

Comment 19 Doran Moppert 2018-12-14 02:38:11 UTC

This issue was addressed in Red Hat Virtualization in the following errata:

  https://access.redhat.com/errata/RHBA-2018:3497 (rhvm-appliance)
  https://access.redhat.com/errata/RHSA-2018:3470 (redhat-virtualization-host)

Comment 20 Borja Tarraso 2019-03-15 15:45:12 UTC

Ansible consumes the version of paramiko provided by RHEL. However, as per the statement, Ansible does not use the SSH server functionality of paramiko.

Comment 22 Borja Tarraso 2020-01-23 09:10:08 UTC

Statement:

This flaw is a user authentication bypass in the SSH Server functionality of paramiko (normally used by subclassing `paramiko.ServerInterface`). Where paramiko is used only for its client-side functionality (e.g. `paramiko.SSHClient`), the vulnerability is not exposed and thus cannot be exploited.

The following Red Hat products use paramiko only in client-side mode. Server side functionality is not used.

* Red Hat Ansible Engine 2
* Red Hat Ceph Storage 2
* Red Hat CloudForms 4
* Red Hat Enterprise Linux 7
* Red Hat Enterprise Virtualization
* Red Hat Gluster Storage 3
* Red Hat Openshift Container Platform
* Red Hat Quick Cloud Installer
* Red Hat Satellite 6
* Red Hat Storage Console 2
* Red Hat OpenStack Platform
* Red Hat Update Infrastructure

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
agrimm
ahardin
apevec
athmanem
bbuckingham
bcourt
bkearney
bleanhar
bmcclain
ccoleman
chrisw
cstratak
dajohnso
dbaker
dblechte
dedgar
dfediuck
dmetzger
dmoppert
eedri
eparis
gblomqui
gmccullo
gtanzill
gwync
igor.raits
ivazqueznet
jcammara
jforrest
jfrey
jgoulding
jhardy
jjoyce
jokerman
jprause
jschluet
jtanner
kbasil
kdixon
lhh
lpeer
markmc
mburns
mchappel
mgoldboi
mhradile
michal.skrivanek
mmccune
mrike
obarenbo
ohadlevy
orion
paul
pcahyna
python-maint
rbryant
rchan
rebus
rjerrido
roliveri
sbonazzo
sclewis
sgallagh
sherold
simaishi
sisharma
slinaber
ssaha
sthangav
tdecacqu
tkuratom
todd
torsava
trankin
vbellur
yozone
yturgema