PT-2021-5763 · Ceph+5 · Ceph+5

Sage Mctaggart

·

Published

2020-09-20

·

Updated

2026-03-20

·

CVE-2021-20288

CVSS v3.1

7.2

High

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions ceph versions prior to 14.2.20
Description The issue is related to a flaw in the authentication procedure of the ceph storage network, which can be exploited by a remote attacker to access confidential data, compromise data integrity, and cause a denial of service. The vulnerability allows key reuse when the monitor handles CEPHX GET AUTH SESSION KEY requests, enabling an attacker to request a global id previously associated with another user. This poses a significant threat to data confidentiality, integrity, and system availability.
Recommendations For versions prior to 14.2.20, update to version 14.2.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the CEPHX GET AUTH SESSION KEY request handler to minimize the risk of exploitation. Additionally, avoid reusing global id values associated with other users until the issue is resolved.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

ALT-PU-2020-2845
ALT-PU-2021-1683
ALT-PU-2021-1709
ALT-PU-2021-1748
ALT-PU-2021-1805
ALT-PU-2021-1830
ALT-PU-2021-1990
ALT-PU-2021-2332
ALT-PU-2022-1240
BDU:2022-00208
BIT-CEPH-2021-20288
CVE-2021-20288
DLA-3629-1
MGASA-2021-0207
OESA-2022-1715
OPENSUSE-SU-2021:0672-1
OPENSUSE-SU-2021_0672-1
OPENSUSE-SU-2024:10649-1
OPENSUSE-SU-2024:10676-1
RHSA-2021:2445
RHSA-2022:1394
SUSE-SU-2021:1472-1
SUSE-SU-2021:1473-1
SUSE-SU-2021:1474-1
SUSE-SU-2021_1473-1
SUSE-SU-2021_1474-1
USN-4998-1
USN-5128-1

Affected Products

Alt Linux
Astra Linux
Linuxmint
Suse
Ubuntu
Ceph