#VU53692 Improper Authentication in Ceph - CVE-2021-20288


Vulnerability identifier: #VU53692

Vulnerability risk: Medium

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-20288

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ceph
Server applications / Other server solutions

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in authentication flow related to CEPHX_GET_AUTH_SESSION_KEY requests. The application does not check other_keys and allows key reuse. A remote attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Ceph: 14.0.0 - 16.2.0

External links
https://bugzilla.redhat.com/show_bug.cgi?id=1938031
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/362CEPPYF3YMJZBEJQUT3KDE2EHYYIYQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5BPIAYTRCWAU4XWCDBK2THEFVXSC4XGK/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JVWUKUUS5BCIFWRV3JCUQMAPJ4HIWSED/
https://security.gentoo.org/glsa/202105-39

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


openEuler update for ceph
Authentication bypass in Red Hat Ceph Storage
Gentoo update for Ceph
Improper authentication in Ceph
SUSE update for ceph
Fedora 32 update for ceph
Fedora 33 update for ceph
Fedora 34 update for ceph