SB2021060110 - Gentoo update for Ceph

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021060110

SB2021060110 - Gentoo update for Ceph

Published: June 1, 2021

Security Bulletin ID SB2021060110
Severity
Medium
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 71% Low 29%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2020-10753)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. Ceph versions 3.x and 4.x are vulnerable to this issue.


2) Use of insufficiently random values (CVE-ID: CVE-2020-1759)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

A vulnerability was found in Red Hat Ceph Storage 4 and Red Hat Openshift Container Storage 4.2 where, A nonce reuse vulnerability was discovered in the secure mode of the messenger v2 protocol, which can allow an attacker to forge auth tags and potentially manipulate the data by leveraging the reuse of a nonce in a session. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks.


3) Stored cross-site scripting (CVE-ID: CVE-2020-1760)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


4) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2020-25660)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists with in the implementation of the Cephx authentication protocol. A remote attacker with access to the Ceph cluster network can intercept authentication packets and perform  replay attacks in Nautilus.

The vulnerability affects msgr2 protocol only and is basically a reintroduction of previously patched vulnerability #VU14542.


5) Cleartext storage of sensitive information (CVE-ID: CVE-2020-25678)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists in Ceph due ti application stores the mgr module passwords in clear text. A local user can gain access to the password by searching the mgr logs for grafana and dashboard.


6) Insufficiently protected credentials (CVE-ID: CVE-2020-27781)

The vulnerability allows a local user to gain access to credentials of other application users.

The vulnerability exists due to the way credentials sharing is implemented. User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even "admin" users, compromising the ceph administrator.


7) Improper Authentication (CVE-ID: CVE-2021-20288)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in authentication flow related to CEPHX_GET_AUTH_SESSION_KEY requests. The application does not check other_keys and allows key reuse. A remote attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones.


Remediation

Install update from vendor's website.

References