Bug 1121850 - (CVE-2018-16886) VUL-0: CVE-2018-16886: etcd: Improper authentication issue when RBAC and client-cert-auth is enabled
(CVE-2018-16886)
VUL-0: CVE-2018-16886: etcd: Improper authentication issue when RBAC and clie...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Normal
: ---
Assigned To: Panagiotis Georgiadis
George Gkioulis
https://smash.suse.de/issue/222744/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-01-14 13:00 UTC by Alexandros Toptsoglou
Modified: 2019-06-06 09:05 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-01-14 13:00:53 UTC
etcd versions 3.2.0 through 3.3.10 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.

Introduced in commit:
https://github.com/etcd-io/etcd/commit/0191509637546621d6f2e18e074e955ab8ef374d

Upstream issue:
https://github.com/etcd-io/etcd/pull/10366

Upstream patch:
https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2
https://github.com/etcd-io/etcd/commit/a9a9466fb8ba11ad7bb6a44d7446fbd072d59887
https://github.com/etcd-io/etcd/commit/99704e2a97e8710da942bdc737417fc9c9a2c03f
https://github.com/etcd-io/etcd/commit/83c051b701d33261eef91a719e4421c81b000ba4

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1651034
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16886
http://seclists.org/oss-sec/2019/q1/65
Comment 1 Alexandros Toptsoglou 2019-01-14 13:07:56 UTC
Only version 3.3.1 is affected which is found in the codestream 
SUSE:SLE-12-SP3:Update:Products:CASP30:Update 

The issue is fixed in upstream versions 3.3.11 and 3.2.26. 
Any version before 3.2.0 is not affected
Comment 2 Flavio Castelli 2019-01-30 10:20:26 UTC
Adding the security folks of caasp to CC.

The simplest fix would be to upgrade to etcd 3.3.11
Comment 3 Panagiotis Georgiadis 2019-01-30 13:06:36 UTC
I will update the package to 3.3.11
Comment 4 Panagiotis Georgiadis 2019-01-31 13:45:18 UTC
QA: The package is ready for testing https://build.suse.de/package/show/Devel:CASP:3.0:ControllerNode/etcd
Comment 5 George Gkioulis 2019-02-07 02:32:34 UTC
FIX VALIDATION


BEFORE
======

admin:~ # rpm -q etcd etcdctl
	etcd-3.3.1-3.3.1.x86_64
	etcdctl-3.3.1-3.3.1.x86_64


AFTER
=====

admin:~ # rpm -q etcd etcdctl
	etcd-3.3.11-1.1.x86_64
	etcdctl-3.3.11-1.1.x86_64


FIX STATUS
==========

Status: Ready for maintenance
Comment 6 Jordi Massaguer 2019-02-08 08:39:55 UTC
https://build.suse.de/request/show/183930
Comment 7 Swamp Workflow Management 2019-02-12 11:10:52 UTC
SUSE-SU-2019:0330-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1095184,1118897,1121850
CVE References: CVE-2018-16873,CVE-2018-16886
Sources used:
SUSE CaaS Platform 3.0 (src):    etcd-3.3.11-3.6.1
Comment 8 Jordi Massaguer 2019-02-12 12:30:57 UTC
I see the package is also in Devel:CASP:Head:ControllerNode.
Closing as fixed.