A flaw was found in the Linux kernels implementation of Linux SCSI target host where an authenticated attacker to write to any block on the exported scsi device backing store. tcmu-runner calls the affected xcopy command in SCSI, which lacks a check for transport-layer restrictions, allowing remote modification of files via directory traversal.
Created tcmu-runner tracking bugs for this issue: Affects: fedora-all [bug 1915787]
Statement: This issue did not affect the version of tcmu-runner as shipped with Red Hat Gluster Storage 3, as it did not include support for Extended Copy (XCOPY). Red Hat Ceph Storage 3 and 4 are affected, as they ship an affected version of tcmu-runner with XCOPY. Red Hat OpenShift Container Storage (RHOCS) 4 shipped tcmu-runner package for the usage of RHOCS 4.2 only, that has reached End Of Life. The shipped version of tcmu-runner package is no longer used and supported with the release of RHOCS 4.3.
External References: https://nvd.nist.gov/vuln/detail/CVE-2021-3139
Mitigation: As this feature can be guarded behind an authentication and firewall rules, limit access with firewall rules and enforcing strong password hygiene. This may not be a suitable option if many uncontrolled hosts mount the networked iSCSI device.
Modified to accept NVD CVSS upon rescore.
This issue has been addressed in the following products: Red Hat Ceph Storage 4.2 Via RHSA-2021:1452 https://access.redhat.com/errata/RHSA-2021:1452
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3139
This issue has been addressed in the following products: Red Hat Ceph Storage 3 - ELS Via RHSA-2021:1518 https://access.redhat.com/errata/RHSA-2021:1518