Bug 1632078 (CVE-2018-14649)
Summary: | CVE-2018-14649 ceph-iscsi-cli: rbd-target-api service runs in debug mode allowing for remote command execution | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | unspecified | CC: | sisharma, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
It was found that rbd-target-api service provided by ceph-iscsi-cli was running in debug mode. An unauthenticated attacker could use this to remotely execute arbitrary code and escalate privileges.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-16 04:33:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1632081, 1632082 | ||
Bug Blocks: | 1632060 |
Description
Sam Fowler
2018-09-24 05:12:25 UTC
Statement: This issue affects the versions of ceph-iscsi-cli as shipped with Red Hat Ceph Storage 2 and 3. This flaw does not affect python-werkzeug library. It depends on if application uses python-werkzeug library with debug mode enabled. Mitigation: To stop werkzeug debug mode started by rbd-target-api which is provided by ceph-iscsi-cli: 1. ~]# systemctl stop rbd-target-api 2. ~]# vi /usr/bin/rbd-target-api # Start the API server ... 737 app.run(host='0.0.0.0', 738 port=settings.config.api_port, 739 debug=True, <==== change this to debug=False use_evalex=False, <=== add this line to disable debugger code execution 740 use_reloader=False, 741 ssl_context=context) ... after changes it should be # Start the API server ... 737 app.run(host='0.0.0.0', 738 port=settings.config.api_port, 739 debug=False, use_evalex=False, 740 use_reloader=False, 741 ssl_context=context) ... 3. ~]# systemctl start rbd-target-api 4. Limit exposure of port 5000/tcp: This port should be opened to trusted hosts which require to run 'gwcli'. upstream fix: https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b External References: https://access.redhat.com/articles/3623521 This issue has been addressed in the following products: Red Hat Ceph Storage 3.1 for Red Hat Enterprise Linux 7 Via RHSA-2018:2838 https://access.redhat.com/errata/RHSA-2018:2838 This issue has been addressed in the following products: Red Hat Ceph Storage 2.5 for Red Hat Enterprise Linux 7 Via RHSA-2018:2837 https://access.redhat.com/errata/RHSA-2018:2837 |