CVE-2018-1112 glusterfs: auth.allow allows unauthenticated clients to mount gluster volumes (CVE-2018-1088 regression)
Environment
Red Hat Gluster Storage 3
Issue
Security fix for CVE-2018-1088 introduced vulnerability in glusterfs server which allows any unauthenticated gluster client from any network which can access gluster servers to mount gluster volumes.
Impact
Red Hat Product Security has rated this issue Important.
-
Gluster servers relying only on auth.allow/auth.reject as authentication method are affected as this will allow any gluster client from any network to mount gluster volumes without authentication after updating to security fix for CVE-2018-1088
-
Gluster servers using TLS authentication in addition to auth.allow/auth.reject are not affected, as only authenticated clients via TLS will be allowed to mount gluster storage volumes.
Mitigation
- Use TLS Authentication to authenticate gluster clients to limit access to gluster storage volumes
- The gluster server should be on LAN, firewalled to trusted systems, and not reachable from public networks.
Root Cause
Gluster authentication option 'auth.allow' does not work as expected. The client white listing by 'auth.allow' is not honored, which allows all unauthenticated gluster clients from any network to access gluster volumes.
More information about this issue can be found on our CVE page: CVE-2018-1112
Comments