CVE-2018-16886

etcd: Improper Authentication in auth/store.go:AuthInfoFromTLS() via gRPC-gateway

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.

etcd, en sus versiones 3.2.x anteriores a la 3.2.26 y versiones 3.3.x anteriores a la 3.3.11, es vulnerable a una autorización incorrecta cuando se emplea un control de acceso basado en roles (RBAC) y client-cert-auth se encuentra habilitado. Si un certificado TLS del servidor etcd del cliente contiene un "Common Name" (CN) que coincide con un nombre de usuario RBAC válido, un atacante remoto podría autenticarse como dicho usuario con cualquier certificado (confiable) del cliente en una petición REST API en gRPC-gateway.

Etcd, versions 3.2.0 through 3.2.25 and 3.3.0 through 3.3.10, are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server's TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.

This update for etcd fixes the following issues. Fixed remote command execution in cmd/go. Fixed directory traversal in cmd/go. Fixed CPU denial of service in crypto/x509. Fixed improper authentication issue when RBAC and client-cert-auth is enabled. Fixed panic in decodeRecord method. Fixed improper checks in entry index. Fixed information discosure via debug function. Fixed quadratic complexity in HPACK decoding in net/http. Fixed insufficient sanitization of Host header in go net/http. Fixed DoS vulnerability in otelgrpc. Fixed prefix truncation breaking ssh channel integrity (aka Terrapin Attack) in crypto/ssh Other changes. Added hardening to systemd service. Fixed static /tmp file issue. Fixed systemd service not starting.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-09-11 CVE Reserved
2019-01-14 CVE Published
2024-08-05 CVE Updated
2025-07-01 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-287: Improper Authentication

CAPEC

References (10)

URL	Tag	Source
http://www.securityfocus.com/bid/106540	Third Party Advisory
https://github.com/etcd-io/etcd/blob/1eee465a43720d713bb69f7b7f5e120135fdb1ac/CHANGELOG-3.2.md#security-authentication	Release Notes
https://github.com/etcd-io/etcd/blob/1eee465a43720d713bb69f7b7f5e120135fdb1ac/CHANGELOG-3.3.md#security-authentication	Release Notes

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16886	2023-11-07

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2019:0237	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1352	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS	2023-11-07
https://access.redhat.com/security/cve/CVE-2018-16886	2019-06-04
https://bugzilla.redhat.com/show_bug.cgi?id=1651034	2019-06-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Etcd Search vendor "Etcd"		Etcd Search vendor "Etcd" for product "Etcd"				>= 3.2.0 < 3.2.26 Search vendor "Etcd" for product "Etcd" and version " >= 3.2.0 < 3.2.26"		-		Affected
Etcd Search vendor "Etcd"		Etcd Search vendor "Etcd" for product "Etcd"				>= 3.3.0 < 3.3.11 Search vendor "Etcd" for product "Etcd" and version " >= 3.3.0 < 3.3.11"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				30 Search vendor "Fedoraproject" for product "Fedora" and version "30"		-		Affected