Описание
In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layer restrictions, allowing remote attackers to read or write files via directory traversal in an XCOPY request. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. NOTE: relative to CVE-2020-28374, this is a similar mistake in a different algorithm.
A flaw was found in the Linux kernel’s implementation of the Linux SCSI target host, where an authenticated attacker could write to any block on the exported SCSI device backing store. This flaw allows an authenticated attacker to send LIO block requests to the Linux system to overwrite data on the backing store. The highest threat from this vulnerability is to integrity. In addition, this flaw affects the tcmu-runner package, where the affected SCSI command is called.
Отчет
This issue did not affect the version of tcmu-runner as shipped with Red Hat Gluster Storage 3, as it did not include support for Extended Copy (XCOPY). Red Hat Ceph Storage 3 and 4 are affected, as they ship an affected version of tcmu-runner with XCOPY. Red Hat OpenShift Container Storage (RHOCS) 4 shipped tcmu-runner package for the usage of RHOCS 4.2 only, that has reached End Of Life. The shipped version of tcmu-runner package is no longer used and supported with the release of RHOCS 4.3.
Меры по смягчению последствий
As this feature can be guarded behind an authentication and firewall rules, limit access with firewall rules and enforcing strong password hygiene. This may not be a suitable option if many uncontrolled hosts mount the networked iSCSI device.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Openshift Container Storage 4 | tcmu-runner | Will not fix | ||
| Red Hat Storage 3 | tcmu-runner | Not affected | ||
| Red Hat Ceph Storage 3 - ELS | ceph | Fixed | RHSA-2021:1518 | 06.05.2021 |
| Red Hat Ceph Storage 3 - ELS | ceph-ansible | Fixed | RHSA-2021:1518 | 06.05.2021 |
| Red Hat Ceph Storage 3 - ELS | cephmetrics | Fixed | RHSA-2021:1518 | 06.05.2021 |
| Red Hat Ceph Storage 3 - ELS | grafana | Fixed | RHSA-2021:1518 | 06.05.2021 |
| Red Hat Ceph Storage 3 - ELS | tcmu-runner | Fixed | RHSA-2021:1518 | 06.05.2021 |
| Red Hat Ceph Storage 4.2 | ceph | Fixed | RHSA-2021:1452 | 28.04.2021 |
| Red Hat Ceph Storage 4.2 | ceph-ansible | Fixed | RHSA-2021:1452 | 28.04.2021 |
| Red Hat Ceph Storage 4.2 | gperftools | Fixed | RHSA-2021:1452 | 28.04.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layer restrictions, allowing remote attackers to read or write files via directory traversal in an XCOPY request. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. NOTE: relative to CVE-2020-28374, this is a similar mistake in a different algorithm.
In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layer restrictions, allowing remote attackers to read or write files via directory traversal in an XCOPY request. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. NOTE: relative to CVE-2020-28374, this is a similar mistake in a different algorithm.
In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy ...
EPSS
8.1 High
CVSS3