Ceph Authorization Bypass

The Ceph Storage Cluster is an open source project based around the Reliable Autonomic Distributed Object Store (RADOS), which provides object, block, and file system storage in a single unified storage cluster. It is a popular way of adding reliable containter-attached storage to computing environments such as Kubernetes and OpenStack and is also used in high-performance computing (HPC) clusters.

Ceph is maintained by the Ceph Foundation, with contributions from members such as Red Hat, Intel, Suse, Samsung and Digital Ocean. Red Hat also provides Ceph a supported product offering.

Ceph implements its own network security protocol dubbed Cephx that is used to authenticate nodes within the Ceph cluster, as well as clients that wish to access Ceph storage. Cephx is almost exclusively used with shared symmetric secrets and provides a central service that mints "tickets" containing "capabilities" that are used when authenticating to services, not unlike Kerberos.

F-Secure consultants discovered a number of missing or misplaced authorization checks where a cluster service failed to verify the "capabilities" of the authenticated user before performing some administrative action. The vulnerabilities were reported to the Ceph project for remediation and have been assigned the identifier CVE-2020-10736.

These vulnerabilities can be used by an attacker who has gained access to the authentication secret of any Ceph cluster user (including a storage client, such as a docker container) to change the runtime configuration of the central "monitor" and "manager" cluster services.

The vulnerabilities were introduced in version 15.1.0 of Ceph and any previous version (such as 14.x) does not exhibit these vulnerabilities. The Ceph project has fixed these issues in the 15.2.2 release and all users of Ceph codename "Octopus" (15.x) are encouraged to update as soon as possible to the latest minor release version.

Access to the "Manager" service is not needed to access Ceph cluster storage. F-Secure recommends that users of Ceph limit network access to the "Manager" daemon to only allow administrators and Ceph cluster nodes.   

In the "Monitor" service, a "kludge" was added for older clients that allows any authenticated user access to three whitelisted administrative commands. An attacker with "mon" capabilities can exploit this issue to change configuration parameters of the running mon daemon by using the "injectargs" command.

In the "Manager" service, incoming administrative messages are accepted before access checks are performed if the "fsid" parameter is present. This parameter is usually present in such messages, so this flaw can be exploited by any authenticated user to run any "MCommand" including "config set", without needing manager capabilities.

The issue in "Manager" can be exploited by using unmodified Ceph client binaries that are likely already present on many systems that use Ceph for storage, while the issue in "Monitor" requires a slight modification of the ceph client libraries (or possibly use of an unmodified older version) to trigger the faulty access check.

In both cases, network clients must first complete successful authentication to the Ceph cluster before being able to perform these attacks.