Bug 1570891 (CVE-2018-1112) - CVE-2018-1112 glusterfs: auth.allow allows unauthenticated clients to mount gluster volumes (CVE-2018-1088 regression)
Summary: CVE-2018-1112 glusterfs: auth.allow allows unauthenticated clients to mount g...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1112
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1570906 1571037 1571038 1571448 1572188
Blocks: 1570893
TreeView+ depends on / blocked
 
Reported: 2018-04-23 16:28 UTC by Pedro Sampaio
Modified: 2021-02-17 00:25 UTC (History)
31 users (show)

Fixed In Version: glusterfs 3.10.12, glusterfs 4.0.2
Doc Type: If docs needed, set a value
Doc Text:
It was found that fix for CVE-2018-1088 introduced a new vulnerability in the way 'auth.allow' is implemented in glusterfs server. An unauthenticated gluster client could mount gluster storage volumes.
Clone Of:
Environment:
Last Closed: 2018-05-04 13:59:59 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1268 0 None None None 2018-04-30 12:48:22 UTC
Red Hat Product Errata RHSA-2018:1269 0 None None None 2018-04-30 12:51:12 UTC

Description Pedro Sampaio 2018-04-23 16:28:16 UTC 
The fix for CVE-2018-1088 in glusterfs introduced a new flaw where auth.allow allows all clients to mount volumes.
Comment 11 Siddharth Sharma 2018-04-24 14:31:25 UTC 
Upstream Fix(es):

https://review.gluster.org/#/c/19899/1..2
Comment 12 Siddharth Sharma 2018-04-24 18:11:45 UTC 
External References:

https://access.redhat.com/articles/3422521
Comment 13 Siddharth Sharma 2018-04-24 18:20:17 UTC 
Mitigation:

1. Use TLS Authentication to authenticate gluster clients to limit access to gluster storage volumes

2. The gluster server should be on LAN, firewalled to trusted systems, and not reachable from public networks.
Comment 14 Siddharth Sharma 2018-04-24 20:15:46 UTC 
Created glusterfs tracking bugs for this issue:

Affects: fedora-all [bug 1571448]
Comment 17 Eric Christensen 2018-04-27 11:59:21 UTC 
Statement:

This vulnerability affects gluster servers that use 'auth.allow' to restrict access to gluster volumes. Gluster servers using TLS to authenticate gluster clients are not affected by this. This vulnerability allows any client to connect to any gluster volume which only uses auth.allow to restrict access.

This issue did not affect the versions of glusterfs as shipped with Red Hat Enterprise Linux 6 and 7 because only gluster client is shipped in these products. CVE-2018-1112 affects glusterfs-server package as shipped with Red Hat Gluster Storage 3.
Comment 21 errata-xmlrpc 2018-04-30 12:48:07 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.3 for RHEL 6
  Native Client for RHEL 6 for Red Hat Storage

Via RHSA-2018:1268 https://access.redhat.com/errata/RHSA-2018:1268
Comment 22 errata-xmlrpc 2018-04-30 12:50:57 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.3 for RHEL 7
  Native Client for RHEL 7 for Red Hat Storage

Via RHSA-2018:1269 https://access.redhat.com/errata/RHSA-2018:1269
Note You need to log in before you can comment on or make changes to this bug.