Bug 1632078 (CVE-2018-14649) - CVE-2018-14649 ceph-iscsi-cli: rbd-target-api service runs in debug mode allowing for remote command execution
Summary: CVE-2018-14649 ceph-iscsi-cli: rbd-target-api service runs in debug mode allo...
Status: CLOSED ERRATA
Alias: CVE-2018-14649
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=critical,public=20180924,repor...
Keywords: Security
Depends On: 1632081 1632082
Blocks: 1632060
TreeView+ depends on / blocked
 
Reported: 2018-09-24 05:12 UTC by Sam Fowler
Modified: 2019-06-08 23:37 UTC (History)
2 users (show)

(edit)
It was found that rbd-target-api service provided by ceph-iscsi-cli was running in debug mode. An unauthenticated attacker could use this to remotely execute arbitrary code and escalate privileges.
Clone Of:
(edit)
Last Closed: 2018-10-16 04:33:31 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2837 None None None 2018-10-01 15:13 UTC
Red Hat Product Errata RHSA-2018:2838 None None None 2018-10-01 15:12 UTC

Description Sam Fowler 2018-09-24 05:12:25 UTC
The ceph-iscsi-cli package starts the rbd-target-api service in debug mode by default, which enables the underlying python-werkzeug debug console. A remote unauthenticated user can use the debug console to execute abitrary commands.


Upstream Bug:

https://github.com/ceph/ceph-iscsi-cli/issues/120

Comment 5 Siddharth Sharma 2018-09-24 07:23:31 UTC
Statement:

This issue affects the versions of ceph-iscsi-cli as shipped with Red Hat Ceph Storage 2 and 3. This flaw does not affect python-werkzeug library. It depends on if application uses python-werkzeug library with debug mode enabled.

Comment 7 Siddharth Sharma 2018-09-24 13:35:30 UTC
Mitigation:

To stop werkzeug debug mode started by rbd-target-api which is provided by ceph-iscsi-cli:

1. ~]# systemctl stop rbd-target-api

2. ~]# vi /usr/bin/rbd-target-api

# Start the API server
...
737     app.run(host='0.0.0.0',
738             port=settings.config.api_port,
739             debug=True,       <==== change this to debug=False
                    use_evalex=False,   <=== add this line to disable debugger code execution
740             use_reloader=False,
741             ssl_context=context)
...

after changes it should be

# Start the API server
...
737     app.run(host='0.0.0.0',
738             port=settings.config.api_port,
739             debug=False, 
                    use_evalex=False,
740             use_reloader=False,
741             ssl_context=context)
...

3. ~]# systemctl start rbd-target-api

4. Limit exposure of port 5000/tcp: This port should be opened to trusted hosts which require to run 'gwcli'.

Comment 10 Yogendra Jog 2018-09-25 13:10:11 UTC
External References:

https://access.redhat.com/articles/3623521

Comment 11 errata-xmlrpc 2018-10-01 15:12:42 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3.1 for Red Hat Enterprise Linux 7

Via RHSA-2018:2838 https://access.redhat.com/errata/RHSA-2018:2838

Comment 12 errata-xmlrpc 2018-10-01 15:13:02 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 2.5 for Red Hat Enterprise Linux 7

Via RHSA-2018:2837 https://access.redhat.com/errata/RHSA-2018:2837


Note You need to log in before you can comment on or make changes to this bug.