[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2018-1128Date: (C)2018-07-11   (M)2024-02-22


It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 7.5CVSS Score : 5.4
Exploit Score: 1.6Exploit Score: 5.5
Impact Score: 5.9Impact Score: 6.4
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: ADJACENT_NETWORKAccess Vector: ADJACENT_NETWORK
Attack Complexity: HIGHAccess Complexity: MEDIUM
Privileges Required: NONEAuthentication: NONE
User Interaction: NONEConfidentiality: PARTIAL
Scope: UNCHANGEDIntegrity: PARTIAL
Confidentiality: HIGHAvailability: PARTIAL
Integrity: HIGH 
Availability: HIGH 
  
Reference:
DSA-4339
RHSA-2018:2177
RHSA-2018:2179
RHSA-2018:2261
RHSA-2018:2274
https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html
http://www.openwall.com/lists/oss-security/2020/11/17/3
http://www.openwall.com/lists/oss-security/2020/11/17/4
http://tracker.ceph.com/issues/24836
https://bugzilla.redhat.com/show_bug.cgi?id=1575866
https://github.com/ceph/ceph/commit/5ead97120e07054d80623dada90a5cc764c28468
openSUSE-SU-2019:1284

CPE    6
cpe:/o:debian:debian_linux:9.0
cpe:/o:debian:debian_linux:8.0
cpe:/o:redhat:enterprise_linux:7.0
cpe:/o:redhat:enterprise_linux_server:7.0
...
CWE    1
CWE-287
OVAL    12
oval:org.secpod.oval:def:89002073
oval:org.secpod.oval:def:603569
oval:org.secpod.oval:def:53462
oval:org.secpod.oval:def:114901
...

© SecPod Technologies