CVE-2018-1128 : It was found that cephx authentication protocol did not verify ceph clients corr

It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable.

Published 2018-07-10 14:29:00

Updated 2020-11-17 19:15:11

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2018-1128

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Ceph
Versions from including (>=) 10.2.0 and up to, including, (<=) 13.2.1
cpe:2.3:a:redhat:ceph:*:*:*:*:*:*:*:*
Matching versions
Redhat » Ceph Storage Osd » Version: 2
cpe:2.3:a:redhat:ceph_storage_osd:2:*:*:*:*:*:*:*
Matching versions
Redhat » Ceph Storage Osd » Version: 3
cpe:2.3:a:redhat:ceph_storage_osd:3:*:*:*:*:*:*:*
Matching versions
Redhat » Ceph Storage Mon » Version: 2
cpe:2.3:a:redhat:ceph_storage_mon:2:*:*:*:*:*:*:*
Matching versions
Redhat » Ceph Storage Mon » Version: 3
cpe:2.3:a:redhat:ceph_storage_mon:3:*:*:*:*:*:*:*
Matching versions
Redhat » Ceph Storage » Version: 3
cpe:2.3:a:redhat:ceph_storage:3:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.0
cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2018-1128

Top countries where our scanners detected CVE-2018-1128

Top open port discovered on systems with this issue 53

IPs affected by CVE-2018-1128 636,251

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2018-1128!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2018-1128

EPSS FAQ

1.64%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 80 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-1128

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.4	MEDIUM	AV:A/AC:M/Au:N/C:P/I:P/A:P	5.5	6.4	NIST
Access Vector: Adjacent Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.5	HIGH	CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	1.6	5.9	NIST
Attack Vector: Adjacent Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2018-1128

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: nvd@nist.gov (Primary)
CWE-294 Authentication Bypass by Capture-replay

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

Assigned by: secalert@redhat.com (Secondary)

References for CVE-2018-1128

https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html

[SECURITY] [DLA 1715-1] linux-4.9 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:2274

RHSA-2018:2274 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://github.com/ceph/ceph/commit/5ead97120e07054d80623dada90a5cc764c28468

auth/cephx: add authorizer challenge · ceph/ceph@5ead971 · GitHub
Patch;Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/11/17/4

oss-security - Re: CVE-2020-25677 ceph: CEPHX_V2 replay attack protection lost
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00100.html

[security-announce] openSUSE-SU-2019:1284-1: moderate: Security update f
Third Party Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=1575866

1575866 – (CVE-2018-1128) CVE-2018-1128 ceph: cephx protocol is vulnerable to replay attack
Issue Tracking;Patch;Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2261

RHSA-2018:2261 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2018/dsa-4339

Debian -- Security Information -- DSA-4339-1 ceph
Third Party Advisory

CVEs referencing this url
http://tracker.ceph.com/issues/24836

Bug #24836: auth: cephx authorizer subject to replay - RADOS - Ceph
Issue Tracking;Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2177

RHSA-2018:2177 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2020/11/17/3

oss-security - CVE-2020-25677 ceph: CEPHX_V2 replay attack protection lost
https://access.redhat.com/errata/RHSA-2018:2179

RHSA-2018:2179 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url