Bug 1121850 (CVE-2018-16886)

Summary: VUL-0: CVE-2018-16886: etcd: Improper authentication issue when RBAC and client-cert-auth is enabled
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Panagiotis Georgiadis <pgeorgiadis>
Status: RESOLVED FIXED QA Contact: George Gkioulis <ggkioulis>
Severity: Normal    
Priority: P2 - High CC: dbelcher, dcooper, fcastelli, ggkioulis, jmassaguerpla, pgeorgiadis, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/222744/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2019-01-14 13:00:53 UTC 
etcd versions 3.2.0 through 3.3.10 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.

Introduced in commit:
https://github.com/etcd-io/etcd/commit/0191509637546621d6f2e18e074e955ab8ef374d

Upstream issue:
https://github.com/etcd-io/etcd/pull/10366

Upstream patch:
https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2
https://github.com/etcd-io/etcd/commit/a9a9466fb8ba11ad7bb6a44d7446fbd072d59887
https://github.com/etcd-io/etcd/commit/99704e2a97e8710da942bdc737417fc9c9a2c03f
https://github.com/etcd-io/etcd/commit/83c051b701d33261eef91a719e4421c81b000ba4

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1651034
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16886
http://seclists.org/oss-sec/2019/q1/65
Comment 1 Alexandros Toptsoglou 2019-01-14 13:07:56 UTC 
Only version 3.3.1 is affected which is found in the codestream 
SUSE:SLE-12-SP3:Update:Products:CASP30:Update 

The issue is fixed in upstream versions 3.3.11 and 3.2.26. 
Any version before 3.2.0 is not affected
Comment 2 Flavio Castelli 2019-01-30 10:20:26 UTC 
Adding the security folks of caasp to CC.

The simplest fix would be to upgrade to etcd 3.3.11
Comment 3 Panagiotis Georgiadis 2019-01-30 13:06:36 UTC 
I will update the package to 3.3.11
Comment 4 Panagiotis Georgiadis 2019-01-31 13:45:18 UTC 
QA: The package is ready for testing https://build.suse.de/package/show/Devel:CASP:3.0:ControllerNode/etcd
Comment 5 George Gkioulis 2019-02-07 02:32:34 UTC 
FIX VALIDATION


BEFORE
======

admin:~ # rpm -q etcd etcdctl
	etcd-3.3.1-3.3.1.x86_64
	etcdctl-3.3.1-3.3.1.x86_64


AFTER
=====

admin:~ # rpm -q etcd etcdctl
	etcd-3.3.11-1.1.x86_64
	etcdctl-3.3.11-1.1.x86_64


FIX STATUS
==========

Status: Ready for maintenance
Comment 6 Jordi Massaguer 2019-02-08 08:39:55 UTC 
https://build.suse.de/request/show/183930
Comment 7 Swamp Workflow Management 2019-02-12 11:10:52 UTC 
SUSE-SU-2019:0330-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1095184,1118897,1121850
CVE References: CVE-2018-16873,CVE-2018-16886
Sources used:
SUSE CaaS Platform 3.0 (src):    etcd-3.3.11-3.6.1
Comment 8 Jordi Massaguer 2019-02-12 12:30:57 UTC 
I see the package is also in Devel:CASP:Head:ControllerNode.
Closing as fixed.