Introduction
Unauthorized access to distributed storage can undermine the integrity of critical infrastructure and expose sensitive data to attackers. The recent authentication bypass in Ceph RadosGW (CVE-2024-48916) demonstrates how a single oversight in token validation can have far-reaching consequences for organizations relying on object storage at scale.
Ceph is a widely used open-source distributed storage platform, providing object, block, and file storage for cloud and enterprise environments. Its Rados Gateway (RadosGW) component enables S3-compatible RESTful access, often integrated with OpenID Connect (OIDC) for authentication. Ceph is central to many cloud deployments, with thousands of organizations and service providers depending on its reliability and security.
Technical Information
CVE-2024-48916 arises from insufficient validation of JSON Web Token (JWT) algorithms in the RadosGW OIDC provider. Specifically, when a JWT is presented with the alg field set to none, the system fails to enforce signature verification. As a result, an attacker can craft a JWT with alg=none and arbitrary claims, and RadosGW will accept it as valid, bypassing authentication entirely.
The vulnerability is rooted in the failure to restrict JWT algorithms to a secure, supported set. Instead, the system allowed tokens with alg=none to pass through, effectively disabling cryptographic checks. This exposes any Ceph deployment using RadosGW with OIDC authentication to unauthorized access if an attacker can submit a crafted JWT.
No public code snippets or exploit samples are available in the referenced materials, but the vulnerability mechanism is clear from the advisory and patch notes.
Patch Information
In the Ceph RadosGW (RGW) component, a security vulnerability was identified where unsupported JSON Web Token (JWT) algorithms were not properly restricted. This oversight could potentially allow attackers to bypass authentication mechanisms by exploiting these unsupported algorithms.
To address this issue, a patch was implemented to explicitly disallow any JWT algorithms that are not supported by RGW. The core of this fix involves modifying the rgw/sts module to enforce strict validation of JWT algorithms during the authentication process.
The key changes introduced in the patch include:
-
Validation of JWT Algorithms: The system now checks the algorithm specified in the JWT header against a list of supported algorithms. If the algorithm is not recognized or supported, the authentication process is halted, and access is denied.
-
Error Handling: When an unsupported algorithm is detected, the system logs a detailed error message indicating the unsupported algorithm and the reason for the authentication failure. This aids in troubleshooting and ensures administrators are aware of potential misuse attempts.
-
Code Implementation: The patch introduces a function that extracts the algorithm from the JWT header and compares it against the supported algorithms. If a mismatch is found, the function returns an error, preventing further processing of the token.
Here is a simplified snippet illustrating the core logic of the patch:
std::string algorithm = extract_algorithm_from_jwt(jwt_header); if (!is_supported_algorithm(algorithm)) { ldout(cct, 0) << "Unsupported JWT algorithm: " << algorithm << dendl; return -ERR_INVALID_TOKEN; }
In this code:
extract_algorithm_from_jwtis a function that parses the JWT header to retrieve the algorithm used.is_supported_algorithmchecks if the extracted algorithm is within the list of algorithms supported by RGW.- If the algorithm is unsupported, an error message is logged, and the function returns an error code, effectively denying access.
By implementing this patch, RGW enhances its security posture by ensuring that only tokens signed with approved algorithms are accepted, thereby mitigating the risk of authentication bypass through unsupported JWT algorithms.
For more details on this patch, you can refer to the official GitHub pull request: https://github.com/ceph/ceph/pull/60624
Detection Methods
Detecting the exploitation of vulnerabilities like CVE-2024-41228 in AliyunContainerService Pouch 1.3.1 requires a multifaceted approach, focusing on both static and dynamic analysis techniques.
Static Analysis:
-
Manual Source Code Review:
- Focused Manual Spotcheck: Conduct targeted reviews of the source code, especially areas handling file operations, to identify improper handling of symbolic links.
- Comprehensive Code Review: Perform thorough examinations of the entire codebase to uncover potential vulnerabilities related to symlink handling.
-
Automated Static Analysis:
- Source Code Weakness Analyzer: Utilize tools designed to scan the source code for known patterns of vulnerabilities, including improper symlink handling.
- Context-Configured Analyzers: Implement analyzers configured to the specific context of the application to detect nuanced issues.
Dynamic Analysis:
-
Automated Testing:
- Web Application and Services Scanners: Deploy scanners to test the application in a runtime environment, identifying vulnerabilities that manifest during execution.
- Database Scanners: Assess database interactions to ensure they are not susceptible to symlink-related exploits.
-
Manual Testing:
- Fuzz Testing: Apply fuzzing techniques to input fields and file operations to detect unexpected behaviors or crashes indicative of vulnerabilities.
- Framework-Based Fuzzers: Use specialized fuzzing frameworks tailored to the application's architecture for more effective testing.
Architecture and Design Review:
-
Formal Methods:
- Employ formal verification techniques to mathematically prove the correctness of the application's handling of file operations.
-
Inspection:
- Conduct systematic inspections of the application's design and implementation to identify and mitigate potential symlink vulnerabilities.
By integrating these detection methods, organizations can proactively identify and address vulnerabilities like CVE-2024-41228, enhancing the security posture of their applications.
For more details on detection, refer to: https://vuldb.com/?id.278291
Affected Systems and Versions
The following Ceph versions and distributions are affected by CVE-2024-48916:
- Ceph versions up to and including 16.2.14+ds-0 (Debian bookworm)
- Ceph versions up to and including 18.2.3+ds-10 (Debian sid/trixie)
- Ceph versions up to and including 19.2.3 (upstream)
- Ceph versions up to and including 17.2.6-0ubuntu0.22.04.1 (Ubuntu 22.04 LTS)
- Ceph versions up to and including 19.2.0-54.el9cp (Red Hat)
Any deployment using RadosGW with OIDC authentication in these versions is vulnerable.
Vendor Security History
Ceph has previously faced authentication-related vulnerabilities, including CVE-2023-43040, which also impacted RadosGW. The vendor has demonstrated a pattern of addressing such issues promptly, with patches released across major distributions within weeks of disclosure. The security maturity of the Ceph project is reflected in its transparent advisories and active engagement with the open-source community.
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-48916
- https://www.cve.org/CVERecord?id=CVE-2024-48916
- https://github.com/ceph/ceph/security/advisories/GHSA-5g9m-mmp6-93mq
- https://github.com/ceph/ceph/pull/60624
- https://security-tracker.debian.org/tracker/CVE-2024-48916
- https://ubuntu.com/security/CVE-2024-48916
- https://access.redhat.com/security/cve/cve-2024-48916
- https://osv.dev/vulnerability/RHSA-2024:10956
- https://www.debian.org/security/2024/dsa-5825
- https://security-tracker.debian.org/tracker/DSA-5825-1
- https://explore.alas.aws.amazon.com/CVE-2024-48916.html
- https://www.tenable.com/cve/CVE-2024-48916
- https://app.opencve.io/cve/CVE-2024-48916
- https://linuxsecurity.com/advisories/mageia/mageia-2025-0011-ceph-security-advisory-updates-qde73eraacsg
- https://www.suse.com/security/cve/CVE-2024-48916.html
- https://rapid7.com/db/vulnerabilities/ubuntu-cve-2024-48916/
- https://vuldb.com/?id.278291