CVE-2021-20288
📋 TL;DR
This CVE-2021-20288 vulnerability in Ceph allows attackers to reuse authentication keys by exploiting improper sanitization of other_keys during CEPHX_GET_AUTH_SESSION_KEY requests. An attacker who can request a global_id can access keys previously associated with other users, potentially compromising data confidentiality, integrity, and system availability. This affects Ceph storage clusters before version 14.2.20.
💻 Affected Systems
- Ceph
📦 What is this software?
Ceph by Linuxfoundation
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Ceph cluster authentication, allowing unauthorized access to all stored data, data manipulation, and potential denial of service through privilege escalation.
Likely Case
Unauthorized access to sensitive data stored in Ceph clusters, potential data exfiltration or modification by authenticated attackers.
If Mitigated
Limited impact with proper network segmentation and monitoring, but still presents authentication bypass risk within the Ceph environment.
🎯 Exploit Status
Exploitation requires some authentication access to request global_id, but detailed exploit techniques are not publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.2.20 and later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1938031
Restart Required: Yes
Instructions:
1. Update Ceph to version 14.2.20 or later. 2. Restart Ceph monitor services. 3. Verify all cluster components are running the patched version.
🔧 Temporary Workarounds
Network segmentation
linuxRestrict access to Ceph monitor ports to trusted networks only
iptables -A INPUT -p tcp --dport 6789 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 6789 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit who can communicate with Ceph monitor services
- Enable detailed authentication logging and monitor for unusual key request patterns
🔍 How to Verify
Check if Vulnerable:
Check Ceph version with 'ceph version' command and verify if it's below 14.2.20Check Version:
ceph versionVerify Fix Applied:
Run 'ceph version' and confirm version is 14.2.20 or higher, then verify monitor services are running properly📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of CEPHX_GET_AUTH_SESSION_KEY requests
- Multiple authentication attempts from single source with different global_ids
- Authentication failures followed by successful key reuse
Network Indicators:
- Excessive authentication requests to monitor port 6789
- Unusual traffic patterns between clients and Ceph monitors
SIEM Query:
source="ceph.log" AND "CEPHX_GET_AUTH_SESSION_KEY" | stats count by src_ip, global_id🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=1938031
- https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/362CEPPYF3YMJZBEJQUT3KDE2EHYYIYQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5BPIAYTRCWAU4XWCDBK2THEFVXSC4XGK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JVWUKUUS5BCIFWRV3JCUQMAPJ4HIWSED/
- https://security.gentoo.org/glsa/202105-39
- https://bugzilla.redhat.com/show_bug.cgi?id=1938031
- https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/362CEPPYF3YMJZBEJQUT3KDE2EHYYIYQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5BPIAYTRCWAU4XWCDBK2THEFVXSC4XGK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JVWUKUUS5BCIFWRV3JCUQMAPJ4HIWSED/
- https://security.gentoo.org/glsa/202105-39
