#VU66551 Use of a broken or risky cryptographic algorithm in Red Hat Ceph Storage - CVE-2021-3979

Cybersecurity Help s.r.o.

Published: 2022-08-16

Vulnerability identifier: #VU66551

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-3979

CWE-ID: CWE-327

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Red Hat Ceph Storage
Server applications / File servers (FTP/HTTP)

Vendor: Red Hat Inc.

Description

The vulnerability allows an attacker to gain access to sensitive information.

The vulnerability exists due to Ceph volume does not the honour osd_dmcrypt_key_size, resulting in the key length is being incorrectly passed in an encryption algorithm to create a non random key. An attacker with physical access to encrypted device can decrypt data and gain access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Red Hat Ceph Storage: 5.0

External links
https://bugzilla.redhat.com/show_bug.cgi?id=2024788
https://access.redhat.com/errata/RHSA-2022:1174

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for ceph

SUSE update for ceph

Fedora 37 update for ceph

SUSE update for ceph

openEuler update for ceph