'[oss-security] Re: CVE-2020-25677 ceph: CEPHX_V2 replay attack protection lost'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE-2020-25677 ceph: CEPHX_V2 replay attack protection lost
From:       Ana McTaggart <amctagga () redhat ! com>
Date:       2020-11-17 16:30:45
Message-ID: CABBoStheRyxSVH2Bsr5gS_yQRDEGa0PtGBAE1fZO+z-1yxmgQg () mail ! gmail ! com
[Download RAW message or body]


Correction. The correct CVE is CVE-2020-25660

Ana McTaggart

Red Hat Product Security

Red Hat Remote <https://www.redhat.com>


secalert@redhat.com for urgent response


amct@redhat.com


M: 7742790791     IM: amctagga


Pronouns:They/Them/Theirs



On Tue, Nov 17, 2020 at 9:10 AM Ana McTaggart <amctagga@redhat.com> wrote:

> Dear all,
> cephx authentication protocol does not verify ceph clients correctly, and
> is vulnerable to replay attacks in nautilus and later. An attacker with
> access to the Ceph cluster network can use this vulnerability to
> authenticate with ceph service, via a packet sniffer. This allows them to
> perform actions allowed by the ceph service. This is a reintroduction of
> CVE-2018-1128[1], affecting msgr2 protocol. msgr 2 protocol is used for all
> communication except for older clients that do not support msgr2 protocol.
> msgr1 protocol is not affected.
>
> This was introduced in commit to msgr2 321548010578 ("mon/MonClient: skip
> CEPHX_V2 challenge if client doesn't support it") , due to commit
> c58c5754dfd2 ("msg/async/ProtocolV1: use AuthServer and AuthClient") . This
> results in nautilus and ceph being affected because commit c58c5754dfd2
> wasn't backported to nautilus, and although msgr1 isn't affected in
> nautilus, msgr 2 is the default. This made it so authorizer challenges
> could be skipped for peers which did not support CEPHX_V2, unfortunately
> making it so authorizer challenges are skipped for all peers in both msgr 1
> and msgr2 cases, disabling the protection that was put in place in commit
> f80b848d3f83 ("auth/cephx: add authorizer challenge", CVE-2018-1128).
>
> Proposed Patch:
> See attached.
>
> We have assigned it a CVE of CVE-2020-25677 at Red Hat.
>
> Credits to Ilya Dryomov
>
> [1]https://www.cvedetails.com/cve/CVE-2018-1128/
>
> Ana McTaggart
>
> Red Hat Product Security
>
> Red Hat Remote <https://www.redhat.com>
>
>
> secalert@redhat.com for urgent response
>
>
> amct@redhat.com
>
>
> M: 7742790791     IM: amctagga
>
>
> Pronouns:They/Them/Theirs
>
>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic