Bug 1575866 (CVE-2018-1128) - CVE-2018-1128 ceph: cephx protocol is vulnerable to replay attack
Summary: CVE-2018-1128 ceph: cephx protocol is vulnerable to replay attack
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1128
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Aron Gunn
URL:
Whiteboard:
Depends On: 2258831 1576018 1576019 1576020 1599404 1599406 1662076
Blocks: 1574281
TreeView+ depends on / blocked
 
Reported: 2018-05-08 06:35 UTC by Siddharth Sharma
Modified: 2024-01-17 16:10 UTC (History)
28 users (show)

Fixed In Version: ceph 10.2.11, ceph 12.2.6, ceph 13.2.1
Doc Type: If docs needed, set a value
Doc Text:
It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to the ceph cluster network who is also able to sniff packets on the network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service.
Clone Of:
Environment:
Last Closed: 2019-07-24 09:06:55 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2177 0 None None None 2018-07-11 18:11:02 UTC
Red Hat Product Errata RHSA-2018:2179 0 None None None 2018-07-11 18:21:19 UTC
Red Hat Product Errata RHSA-2018:2261 0 None None None 2018-07-26 18:06:36 UTC
Red Hat Product Errata RHSA-2018:2274 0 None None None 2018-07-26 15:36:12 UTC

Description Siddharth Sharma 2018-05-08 06:35:16 UTC 
Service ticket issued using cephx to authenticate with a ceph service like Mon, OSD are vulnerable to replay attack. Ticket is sent with a nonce from client to service, service responds back to client with a mutation of nonce. This lets client verify that the service is what it says it is. Though this does not protect against a replay. If attacker is able to capture/sniff the exchange, attacker can replay the capture to authenticate with ceph service and perform actions only provided by the ceph service.

There are no known exploits against this, attacker has to be on the same network as of ceph cluster to be able to capture exchange.
Comment 6 Siddharth Sharma 2018-07-09 17:00:07 UTC 
upstream fix:

http://tracker.ceph.com/issues/24836
https://github.com/ceph/ceph/commit/5ead97120e07054d80623dada90a5cc764c28468
Comment 8 Siddharth Sharma 2018-07-09 17:08:37 UTC 
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1599406]
Comment 9 errata-xmlrpc 2018-07-11 18:10:53 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3.0 for Ubuntu 16.04

Via RHSA-2018:2177 https://access.redhat.com/errata/RHSA-2018:2177
Comment 10 errata-xmlrpc 2018-07-11 18:21:09 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3 for Red Hat Enterprise Linux 7

Via RHSA-2018:2179 https://access.redhat.com/errata/RHSA-2018:2179
Comment 13 errata-xmlrpc 2018-07-26 15:36:03 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 2.5 for Ubuntu 16.04.

Via RHSA-2018:2274 https://access.redhat.com/errata/RHSA-2018:2274
Comment 14 errata-xmlrpc 2018-07-26 18:06:27 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 2 for Red Hat Enterprise Linux 7

Via RHSA-2018:2261 https://access.redhat.com/errata/RHSA-2018:2261
Comment 16 Product Security DevOps Team 2019-07-24 09:06:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-1128
Comment 17 Summer Long 2020-11-11 02:43:26 UTC 
Statement:

Red Hat OpenStack Platform ships the flawed package, however RHOSP deployments use the ceph package directly from the Ceph channel.  A RHOSP ceph update will therefore not be provided at this time, but please ensure that the underlying Red Hat Ceph Storage is updated.
Comment 18 Tomas Hoger 2020-11-11 09:57:39 UTC 
Fixed upstream in versions: 10.2.11, 12.2.6, and 13.2.1

https://docs.ceph.com/en/latest/releases/jewel/#v10-2-11-jewel
https://docs.ceph.com/en/latest/releases/luminous/#v12-2-6-luminous
https://docs.ceph.com/en/latest/releases/mimic/#v13-2-1-mimic
Note You need to log in before you can comment on or make changes to this bug.