Bug 1632078 (CVE-2018-14649)

Summary: CVE-2018-14649 ceph-iscsi-cli: rbd-target-api service runs in debug mode allowing for remote command execution
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: sisharma, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that rbd-target-api service provided by ceph-iscsi-cli was running in debug mode. An unauthenticated attacker could use this to remotely execute arbitrary code and escalate privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-16 04:33:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1632081, 1632082    
Bug Blocks: 1632060    

Description Sam Fowler 2018-09-24 05:12:25 UTC 
The ceph-iscsi-cli package starts the rbd-target-api service in debug mode by default, which enables the underlying python-werkzeug debug console. A remote unauthenticated user can use the debug console to execute abitrary commands.


Upstream Bug:

https://github.com/ceph/ceph-iscsi-cli/issues/120
Comment 5 Siddharth Sharma 2018-09-24 07:23:31 UTC 
Statement:

This issue affects the versions of ceph-iscsi-cli as shipped with Red Hat Ceph Storage 2 and 3. This flaw does not affect python-werkzeug library. It depends on if application uses python-werkzeug library with debug mode enabled.
Comment 7 Siddharth Sharma 2018-09-24 13:35:30 UTC 
Mitigation:

To stop werkzeug debug mode started by rbd-target-api which is provided by ceph-iscsi-cli:

1. ~]# systemctl stop rbd-target-api

2. ~]# vi /usr/bin/rbd-target-api

# Start the API server
...
737     app.run(host='0.0.0.0',
738             port=settings.config.api_port,
739             debug=True,       <==== change this to debug=False
                    use_evalex=False,   <=== add this line to disable debugger code execution
740             use_reloader=False,
741             ssl_context=context)
...

after changes it should be

# Start the API server
...
737     app.run(host='0.0.0.0',
738             port=settings.config.api_port,
739             debug=False, 
                    use_evalex=False,
740             use_reloader=False,
741             ssl_context=context)
...

3. ~]# systemctl start rbd-target-api

4. Limit exposure of port 5000/tcp: This port should be opened to trusted hosts which require to run 'gwcli'.
Comment 9 Siddharth Sharma 2018-09-25 08:39:25 UTC 
upstream fix:

https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b
Comment 10 Yogendra Jog 2018-09-25 13:10:11 UTC 
External References:

https://access.redhat.com/articles/3623521
Comment 11 errata-xmlrpc 2018-10-01 15:12:42 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3.1 for Red Hat Enterprise Linux 7

Via RHSA-2018:2838 https://access.redhat.com/errata/RHSA-2018:2838
Comment 12 errata-xmlrpc 2018-10-01 15:13:02 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 2.5 for Red Hat Enterprise Linux 7

Via RHSA-2018:2837 https://access.redhat.com/errata/RHSA-2018:2837