CVE - CVE-2018-1128

CVE-ID
CVE-2018-1128	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:http://tracker.ceph.com/issues/24836 CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1575866 CONFIRM:https://github.com/ceph/ceph/commit/5ead97120e07054d80623dada90a5cc764c28468 DEBIAN:DSA-4339 URL:https://www.debian.org/security/2018/dsa-4339 MLIST:[debian-lts-announce] 20190315 [SECURITY] [DLA 1715-1] linux-4.9 security update URL:https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html MLIST:[oss-security] 20201117 CVE-2020-25677 ceph: CEPHX_V2 replay attack protection lost URL:http://www.openwall.com/lists/oss-security/2020/11/17/3 MLIST:[oss-security] 20201117 Re: CVE-2020-25677 ceph: CEPHX_V2 replay attack protection lost URL:http://www.openwall.com/lists/oss-security/2020/11/17/4 REDHAT:RHSA-2018:2177 URL:https://access.redhat.com/errata/RHSA-2018:2177 REDHAT:RHSA-2018:2179 URL:https://access.redhat.com/errata/RHSA-2018:2179 REDHAT:RHSA-2018:2261 URL:https://access.redhat.com/errata/RHSA-2018:2261 REDHAT:RHSA-2018:2274 URL:https://access.redhat.com/errata/RHSA-2018:2274 SUSE:openSUSE-SU-2019:1284 URL:http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00100.html
Assigning CNA
Red Hat, Inc.
Date Record Created
20171204	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20171204)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)