It was found that rbd-target-api service provided by ceph-iscsi-cli was running in debug mode. An unauthenticated attacker could use this to remotely execute arbitrary code and escalate privileges.
Find out more about CVE-2018-14649 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue affects the versions of ceph-iscsi-cli as shipped with Red Hat Ceph Storage 2 and 3. This flaw does not affect python-werkzeug library. It depends on if application uses python-werkzeug library with debug mode enabled.
| CVSS3 Base Score | 9.8 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Ceph Storage 3 for Red Hat Enterprise Linux 7 (ceph-iscsi-cli) | RHSA-2018:2838 | 2018-10-01 |
| Red Hat Ceph Storage Tools 2 (ceph-iscsi-cli) | RHSA-2018:2837 | 2018-10-01 |
To stop werkzeug debug mode started by rbd-target-api which is provided by ceph-iscsi-cli:
1. ~]# systemctl stop rbd-target-api
2. ~]# vi /usr/bin/rbd-target-api
# Start the API server
...
737 app.run(host='0.0.0.0',
738 port=settings.config.api_port,
739 debug=True, <==== change this to debug=False
use_evalex=False, <=== add this line to disable debugger code execution
740 use_reloader=False,
741 ssl_context=context)
...
after changes it should be
# Start the API server
...
737 app.run(host='0.0.0.0',
738 port=settings.config.api_port,
739 debug=False,
use_evalex=False,
740 use_reloader=False,
741 ssl_context=context)
...
3. ~]# systemctl start rbd-target-api
4. Limit exposure of port 5000/tcp: This port should be opened to trusted hosts which require to run 'gwcli'.
Vulmon