Bug 1938031 (CVE-2021-20288) - CVE-2021-20288 ceph: Unauthorized global_id reuse in cephx
Summary: CVE-2021-20288 ceph: Unauthorized global_id reuse in cephx
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20288
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1939092 1939093 1940955 1952085 1952206 2049519
Blocks: 1934783
TreeView+ depends on / blocked
 
Reported: 2021-03-11 23:48 UTC by Sage McTaggart
Modified: 2022-05-19 11:39 UTC (History)
36 users (show)

Fixed In Version: ceph 14.2.20
Doc Type: If docs needed, set a value
Doc Text:
An authentication flaw was found in ceph. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-06-15 21:03:59 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:1510 0 None None None 2022-04-21 18:39:03 UTC
Red Hat Product Errata RHSA-2021:2445 0 None None None 2021-06-15 17:13:03 UTC
Red Hat Product Errata RHSA-2022:1394 0 None None None 2022-04-19 10:21:00 UTC

Description Sage McTaggart 2021-03-11 23:48:02 UTC
The reuse of old keys to generate new ones, in conjunction with the ability for a user to request any global id, presents an opportunity for an attacker to request a previously valid global id without the corresponding prior key.

Comment 5 Sage McTaggart 2021-03-15 19:30:20 UTC
Acknowledgments:

Name: Ilya Dryomov (Red Hat)

Comment 8 Tomas Hoger 2021-03-19 15:59:23 UTC
Statement:

* Red Hat OpenShift Container Storage (RHOCS) 4 shipped ceph package for the usage of RHOCS 4.2 only, that has reached End Of Life. The shipped version of ceph package is no longer used and supported with the release of RHOCS 4.3.

* Red Hat OpenStack Platform deployments use the ceph package directly from the Ceph channel; the RHOSP ceph package will not be updated at this time.

* The ceph packages included in Red Hat Enterprise Linux only provide client side libraries and tools and therefore are not affected by this issue affecting ceph-mon service.

Comment 10 Sage McTaggart 2021-04-14 17:23:13 UTC
Upstream patches: 
https://github.com/ceph/ceph/commits/nautilus (commits on top of 14.2.19)
https://github.com/ceph/ceph/commits/octopus (commits on top of 15.2.10)
https://github.com/ceph/ceph/commits/pacific (commits on top of 16.2.0)

Comment 11 Ilya Dryomov 2021-04-14 18:41:45 UTC
Merged into master:

https://github.com/ceph/ceph/commit/f3a4166379b12d4a7bba667fe761e5b660552db1

Comment 13 Sage McTaggart 2021-04-21 13:17:14 UTC
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1952085]

Comment 16 errata-xmlrpc 2021-06-15 17:13:00 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.2

Via RHSA-2021:2445 https://access.redhat.com/errata/RHSA-2021:2445

Comment 17 Product Security DevOps Team 2021-06-15 21:03:59 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20288

Comment 18 errata-xmlrpc 2022-04-19 10:20:57 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3 - ELS

Via RHSA-2022:1394 https://access.redhat.com/errata/RHSA-2022:1394


Note You need to log in before you can comment on or make changes to this bug.