From 53bb1d9dd639205e1efe102ef72f2645acfa7237 Mon Sep 17 00:00:00 2001 From: Ilya Dryomov Date: Tue, 2 Mar 2021 15:09:26 +0100 Subject: [PATCH] auth/cephx: ignore CEPH_ENTITY_TYPE_AUTH in requested keys When handling CEPHX_GET_AUTH_SESSION_KEY requests from nautilus+ clients, ignore CEPH_ENTITY_TYPE_AUTH in CephXAuthenticate::other_keys. Similarly, when handling CEPHX_GET_PRINCIPAL_SESSION_KEY requests, ignore CEPH_ENTITY_TYPE_AUTH in CephXServiceTicketRequest::keys. These fields are intended for requesting service tickets, the auth ticket (which is really a ticket granting ticket) must not be shared this way. Otherwise we end up sharing an auth ticket that a) isn't encrypted with the old session key even if needed (should_enc_ticket == true) and b) has the wrong validity, namely auth_service_ticket_ttl instead of auth_mon_ticket_ttl. In the CEPHX_GET_AUTH_SESSION_KEY case, this undue ticket immediately supersedes the actual auth ticket already encoded in the same reply (the reply frame ends up containing two auth tickets). Signed-off-by: Ilya Dryomov (cherry picked from commit 05772ab6127bdd9ed2f63fceef840f197ecd9ea8) This only applies part of the patch, as the CephXAuthenticate::other_keys handling isn't present in this version. Origin: upstream, https://github.com/ceph/ceph/commit/05b3b6a305ddbb56cc53bbeadf5866db4d785f49 Gbp-Pq: Name CVE-2021-20288.patch --- src/auth/cephx/CephxServiceHandler.cc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc index b06e0080b..b36490f78 100644 --- a/src/auth/cephx/CephxServiceHandler.cc +++ b/src/auth/cephx/CephxServiceHandler.cc @@ -169,7 +169,10 @@ int CephxServiceHandler::handle_request(bufferlist::iterator& indata, bufferlist int service_err = 0; for (uint32_t service_id = 1; service_id <= ticket_req.keys; service_id <<= 1) { - if (ticket_req.keys & service_id) { + // skip CEPH_ENTITY_TYPE_AUTH: auth ticket must be obtained with + // CEPHX_GET_AUTH_SESSION_KEY + if ((ticket_req.keys & service_id) && + service_id != CEPH_ENTITY_TYPE_AUTH) { ldout(cct, 10) << " adding key for service " << ceph_entity_type_name(service_id) << dendl; CephXSessionAuthInfo info; -- 2.30.2