[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-43040 Ceph: Improperly verified POST keys.
From: "Sage [They / Them] McTaggart" <amctagga () redhat ! com>
Date: 2023-09-26 19:00:00
Message-ID: CABBoStiUAn_tdyAcVm_YPcXrpEDdsy15EZ=d34TYvmAEZ9vQ7w () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello all,
A flaw was found in Ceph RGW. An unprivileged user can write to any
bucket(s) accessible by a given key if a POST's form-data contains a key
called 'bucket' with a value matching the name of the bucket used to sign
the request.
The result of this is that a user could actually upload to any bucket
accessible by the specified access key as long as the bucket in the POST
policy matches the bucket in said POST form part.
We have assigned it a CVE of CVE-2023-43040 and the patch is attached.
Credits to Lucas Henry of Digital Ocean.
Sage McTaggart
IBM Product Security
amct@redhat.com
sagemct@ibm.com
Pronouns:They/Them/Theirs
[Attachment #5 (text/html)]
<div dir="ltr"><div><span id="gmail-summary_container"><span \
id="gmail-short_desc_nonedit_display"></span></span><span id="gmail-summary_container"><span \
id="gmail-short_desc_nonedit_display">Hello all,</span></span></div><div><span \
id="gmail-summary_container"><span id="gmail-short_desc_nonedit_display">A flaw was found in \
Ceph RGW.</span></span> An unprivileged user can write to any bucket(s) accessible by a given \
key if a POST's form-data contains a key called 'bucket' with a value matching the \
name of the bucket used to sign the request.<br><br>The result of this is that a user could \
actually upload to any bucket accessible by the specified access key as long as the bucket in \
the POST policy matches the bucket in said POST form part.</div><div><br></div><div>We have \
assigned it a CVE of CVE-2023-43040 and the patch is \
attached.<br></div><div><br></div><div>Credits to Lucas Henry of Digital Ocean. \
<br></div><div><br></div><div><div dir="ltr" class="gmail_signature" \
data-smartmail="gmail_signature"><div dir="ltr"><p \
style="font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:capitalize;font-family:"RedHatText",sans-serif">
<span style="font-family:monospace"><span>Sage McTaggart<br></span></span></p>IBM Product \
Security<span style="font-family:monospace"></span><div style="margin-bottom:4px"><span \
style="font-family:monospace"></span><p></p><p \
style="font-weight:normal;margin:0px;font-size:12px;font-family:"RedHatText",sans-serif"><span \
style="font-family:monospace"><span style="margin:0px;padding:0px"><a \
style="color:rgb(0,0,0);font-size:12px;margin:0px;text-decoration:none" \
href="mailto:amct@redhat.com" target="_blank">amct@redhat.com</a> <br></span></span></p><p \
style="font-weight:normal;margin:0px;font-size:12px;font-family:"RedHatText",sans-serif"><span \
style="font-family:monospace"><span style="margin:0px;padding:0px"><a \
href="mailto:sagemct@ibm.com" target="_blank">sagemct@ibm.com</a> </span> \
<span><br></span></span></p><span \
style="font-family:monospace"><span></span><span><span></span></span></span><p \
style="font-weight:normal;margin:0px;font-size:12px;font-family:"RedHatText",sans-serif"><span \
style="font-family:monospace"><span><span></span></span></span><br><span \
style="font-family:monospace"><span><span><span \
style="font-family:monospace"></span></span></span></span></p><p \
style="font-weight:normal;margin:0px;font-size:12px;font-family:"RedHatText",sans-serif">Pronouns:They/Them/Theirs</p>
<p></p></div></div></div></div></div>
["rgw.patch" (text/x-patch)]
commit f20fad1744380d6231ecd24ab848ebc26ddd5f9f
Author: Joshua Baergen <jbaergen@digitalocean.com>
Date: Wed May 17 12:17:09 2023 -0600
rgw: Fix bucket validation against POST policies
It's possible that user could provide a form part as a part of a POST
object upload that uses 'bucket' as a key; in this case, it was
overriding what was being set in the validation env (which is the real
bucket being modified). The result of this is that a user could actually
upload to any bucket accessible by the specified access key by matching
the bucket in the POST policy in said POST form part.
Fix this simply by setting the bucket to the correct value after the
POST form parts are processed, ignoring the form part above if
specified.
Signed-off-by: Joshua Baergen <jbaergen@digitalocean.com>
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index a56ecf655a3..b8f3c7b7a4b 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -2660,10 +2660,6 @@ int RGWPostObj_ObjStore_S3::get_params(optional_yield y)
map_qs_metadata(s);
- ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name()
- << dendl;
- env.add_var("bucket", s->bucket->get_name());
-
bool done;
do {
struct post_form_part part;
@@ -2714,6 +2710,10 @@ int RGWPostObj_ObjStore_S3::get_params(optional_yield y)
env.add_var(part.name, part_str);
} while (!done);
+ ldpp_dout(this, 20) << "adding bucket to policy env: " << s->bucket->get_name()
+ << dendl;
+ env.add_var("bucket", s->bucket->get_name());
+
string object_str;
if (!part_str(parts, "key", &object_str)) {
err_msg = "Key not specified";
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic