Use of insufficiently random values in ceph (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-1759 |
| CWE-ID | CWE-330 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
ceph (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Use of insufficiently random values
EUVDB-ID: #VU31809
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-1759
CWE-ID:
CWE-330 - Use of Insufficiently Random Values
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
A vulnerability was found in Red Hat Ceph Storage 4 and Red Hat Openshift Container Storage 4.2 where, A nonce reuse vulnerability was discovered in the secure mode of the messenger v2 protocol, which can allow an attacker to forge auth tags and potentially manipulate the data by leveraging the reuse of a nonce in a session. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsceph (Alpine package): 14.2.8-r0
External linkshttp://git.alpinelinux.org/aports/commit/?id=a2d911e64f7f95e990fdee223abc710d81e39fc6
http://git.alpinelinux.org/aports/commit/?id=2dda68448cfdb97f20e4a2e56b30e5f6e9771121
http://git.alpinelinux.org/aports/commit/?id=327c8e45697d9dd3eb02fbd36281d11f484b1ebe
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
