Bug 1177843 - (CVE-2020-25660) VUL-0: CVE-2020-25660: ceph: CEPHX_V2 replay attack protection lost (problematic fix for CVE-2018-1128)
(CVE-2020-25660)
VUL-0: CVE-2020-25660: ceph: CEPHX_V2 replay attack protection lost (problema...
Status: RESOLVED FIXED
: 1177859 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All SLES 15
: P1 - Urgent : Major
: unspecified
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/269722/
CVSSv3.1:SUSE:CVE-2020-25660:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-10-18 09:44 UTC by Lars Marowsky-Bree
Modified: 2021-11-23 18:40 UTC (History)
9 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 31 Wolfgang Frisch 2020-11-17 15:57:15 UTC
via oss-security:

Subject: CVE-2020-25677 ceph: CEPHX_V2 replay attack protection lost

Dear all,
cephx authentication protocol does not verify ceph clients correctly, and
is vulnerable to replay attacks in nautilus and later. An attacker with
access to the Ceph cluster network can use this vulnerability to
authenticate with ceph service, via a packet sniffer. This allows them to
perform actions allowed by the ceph service. This is a reintroduction of
CVE-2018-1128[1], affecting msgr2 protocol. msgr 2 protocol is used for all
communication except for older clients that do not support msgr2 protocol.
msgr1 protocol is not affected.

This was introduced in commit to msgr2 321548010578 ("mon/MonClient: skip
CEPHX_V2 challenge if client doesn't support it") , due to commit
c58c5754dfd2 ("msg/async/ProtocolV1: use AuthServer and AuthClient") . This
results in nautilus and ceph being affected because commit c58c5754dfd2
wasn't backported to nautilus, and although msgr1 isn't affected in
nautilus, msgr 2 is the default. This made it so authorizer challenges
could be skipped for peers which did not support CEPHX_V2, unfortunately
making it so authorizer challenges are skipped for all peers in both msgr 1
and msgr2 cases, disabling the protection that was put in place in commit
f80b848d3f83 ("auth/cephx: add authorizer challenge", CVE-2018-1128).

Proposed Patch:
See attached.

We have assigned it a CVE of CVE-2020-25677 at Red Hat.

Credits to Ilya Dryomov

[1]https://www.cvedetails.com/cve/CVE-2018-1128/

Ana McTaggart

Red Hat Product Security
Comment 32 Wolfgang Frisch 2020-11-17 16:49:24 UTC
The oss-security posting refers to the wrong CVE.
CVE-2020-25660 is the only and correct identifier.
Comment 33 Swamp Workflow Management 2020-11-20 14:17:46 UTC
SUSE-SU-2020:3459-1: An update that solves one vulnerability and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1151612,1158257,1169134,1170487,1174591,1175061,1175240,1175781,1177843
CVE References: CVE-2020-25660
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ceph-14.2.13.450+g65ea1b614d-3.52.1
SUSE Enterprise Storage 6 (src):    ceph-14.2.13.450+g65ea1b614d-3.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 34 Swamp Workflow Management 2020-11-21 11:36:45 UTC
SUSE-SU-2020:3473-1: An update that solves one vulnerability, contains two features and has 23 fixes is now available.

Category: security (moderate)
Bug References: 1163764,1170200,1170498,1173079,1174466,1174529,1174644,1175120,1175161,1175169,1176451,1176499,1176638,1177078,1177151,1177319,1177344,1177450,1177643,1177676,1177843,1177933,1178073,1178531
CVE References: CVE-2020-25660
JIRA References: SES-1071,SES-185
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    ceph-15.2.5.667+g1a579d5bf2-3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 35 Nathan Cutler 2020-11-23 14:52:55 UTC
This is now fixed in both SES6 and SES7. Back to security for further disposition.
Comment 36 Alexandros Toptsoglou 2020-11-23 15:23:59 UTC
Done
Comment 37 Swamp Workflow Management 2020-11-26 20:22:07 UTC
SUSE-SU-2020:3539-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (important)
Bug References: 1170200,1174466,1177344,1177843,1178073,1178531
CVE References: CVE-2020-25660
JIRA References: 
Sources used:
SUSE Enterprise Storage 7 (src):    ceph-15.2.5.667+g1a579d5bf2-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 38 Swamp Workflow Management 2020-11-26 20:34:20 UTC
SUSE-SU-2020:3473-2: An update that solves one vulnerability, contains two features and has 23 fixes is now available.

Category: security (moderate)
Bug References: 1163764,1170200,1170498,1173079,1174466,1174529,1174644,1175120,1175161,1175169,1176451,1176499,1176638,1177078,1177151,1177319,1177344,1177450,1177643,1177676,1177843,1177933,1178073,1178531
CVE References: CVE-2020-25660
JIRA References: SES-1071,SES-185
Sources used:
SUSE Enterprise Storage 7 (src):    ceph-15.2.5.667+g1a579d5bf2-3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 39 Swamp Workflow Management 2020-11-27 05:15:38 UTC
openSUSE-SU-2020:2057-1: An update that solves one vulnerability and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1151612,1158257,1169134,1170487,1174591,1175061,1175240,1175781,1177843
CVE References: CVE-2020-25660
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    ceph-14.2.13.450+g65ea1b614d-lp151.2.28.1, ceph-test-14.2.13.450+g65ea1b614d-lp151.2.28.1
Comment 40 Swamp Workflow Management 2020-11-27 17:26:15 UTC
openSUSE-SU-2020:2082-1: An update that solves one vulnerability and has 23 fixes is now available.

Category: security (moderate)
Bug References: 1163764,1170200,1170498,1173079,1174466,1174529,1174644,1175120,1175161,1175169,1176451,1176499,1176638,1177078,1177151,1177319,1177344,1177450,1177643,1177676,1177843,1177933,1178073,1178531
CVE References: CVE-2020-25660
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    ceph-15.2.5.667+g1a579d5bf2-lp152.2.3.1, ceph-test-15.2.5.667+g1a579d5bf2-lp152.2.3.1