Описание
It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions.
It was found that rbd-target-api service provided by ceph-iscsi-cli was running in debug mode. An unauthenticated attacker could use this to remotely execute arbitrary code and escalate privileges.
Отчет
This issue affects the versions of ceph-iscsi-cli as shipped with Red Hat Ceph Storage 2 and 3. This flaw does not affect python-werkzeug library. It depends on if application uses python-werkzeug library with debug mode enabled.
Меры по смягчению последствий
To stop werkzeug debug mode started by rbd-target-api which is provided by ceph-iscsi-cli:
- ~]# systemctl stop rbd-target-api
- ~]# vi /usr/bin/rbd-target-api
Start the API server
... 737 app.run(host='0.0.0.0', 738 port=settings.config.api_port, 739 debug=True, <==== change this to debug=False use_evalex=False, <=== add this line to disable debugger code execution 740 use_reloader=False, 741 ssl_context=context) ... after changes it should be
Start the API server
... 737 app.run(host='0.0.0.0', 738 port=settings.config.api_port, 739 debug=False, use_evalex=False, 740 use_reloader=False, 741 ssl_context=context) ... 3. ~]# systemctl start rbd-target-api 4. Limit exposure of port 5000/tcp: This port should be opened to trusted hosts which require to run 'gwcli'.
Дополнительная информация
Статус:
9.8 Critical
CVSS3
Связанные уязвимости
It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions.
It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions.
9.8 Critical
CVSS3