csaf_redhat - rhsa-2018:2838

rhsa-2018:2838

Vulnerability from csaf_redhat

Published

2018-10-01 15:13

Modified

2024-11-15 00:35

Summary

Red Hat Security Advisory: ceph-iscsi-cli security update

Notes

Topic

An update for ceph-iscsi-cli is now available for Red Hat Ceph Storage 3.1 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

ceph-iscsi-cli provides a CLI interface similar to the targetcli tool used to interact with the kernel LIO subsystem. Security Fix(es): * It was found that rbd-target-api service provided by ceph-iscsi-cli was running in debug mode. An unauthenticated attacker could use this to remotely execute arbitrary code and escalate privileges. (CVE-2018-14649)

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for ceph-iscsi-cli is now available for Red Hat Ceph Storage 3.1 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "ceph-iscsi-cli provides a CLI interface similar to the targetcli tool used to interact with the kernel LIO subsystem.\n\nSecurity Fix(es):\n\n* It was found that rbd-target-api service provided by ceph-iscsi-cli was running in debug mode. An unauthenticated attacker could use this to remotely execute arbitrary code and escalate privileges. (CVE-2018-14649)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2018:2838",
        "url": "https://access.redhat.com/errata/RHSA-2018:2838"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#critical",
        "url": "https://access.redhat.com/security/updates/classification/#critical"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/articles/3623521",
        "url": "https://access.redhat.com/articles/3623521"
      },
      {
        "category": "external",
        "summary": "1632078",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1632078"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2838.json"
      }
    ],
    "title": "Red Hat Security Advisory: ceph-iscsi-cli security update",
    "tracking": {
      "current_release_date": "2024-11-15T00:35:48+00:00",
      "generator": {
        "date": "2024-11-15T00:35:48+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2018:2838",
      "initial_release_date": "2018-10-01T15:13:30+00:00",
      "revision_history": [
        {
          "date": "2018-10-01T15:13:30+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2018-10-01T15:13:30+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T00:35:48+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Ceph Storage 3.1 Tools",
                "product": {
                  "name": "Red Hat Ceph Storage 3.1 Tools",
                  "product_id": "7Server-RHEL-7-RHCEPH-3.1-Tools",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ceph_storage:3::el7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Ceph Storage"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ceph-iscsi-cli-0:2.7-7.el7cp.src",
                "product": {
                  "name": "ceph-iscsi-cli-0:2.7-7.el7cp.src",
                  "product_id": "ceph-iscsi-cli-0:2.7-7.el7cp.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ceph-iscsi-cli@2.7-7.el7cp?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ceph-iscsi-cli-0:2.7-7.el7cp.noarch",
                "product": {
                  "name": "ceph-iscsi-cli-0:2.7-7.el7cp.noarch",
                  "product_id": "ceph-iscsi-cli-0:2.7-7.el7cp.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ceph-iscsi-cli@2.7-7.el7cp?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ceph-iscsi-cli-0:2.7-7.el7cp.noarch as a component of Red Hat Ceph Storage 3.1 Tools",
          "product_id": "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.noarch"
        },
        "product_reference": "ceph-iscsi-cli-0:2.7-7.el7cp.noarch",
        "relates_to_product_reference": "7Server-RHEL-7-RHCEPH-3.1-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ceph-iscsi-cli-0:2.7-7.el7cp.src as a component of Red Hat Ceph Storage 3.1 Tools",
          "product_id": "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.src"
        },
        "product_reference": "ceph-iscsi-cli-0:2.7-7.el7cp.src",
        "relates_to_product_reference": "7Server-RHEL-7-RHCEPH-3.1-Tools"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-14649",
      "cwe": {
        "id": "CWE-77",
        "name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
      },
      "discovery_date": "2018-09-24T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1632078"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that rbd-target-api service provided by ceph-iscsi-cli was running in debug mode. An unauthenticated attacker could use this to remotely execute arbitrary code and escalate privileges.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ceph-iscsi-cli: rbd-target-api service runs in debug mode allowing for remote command execution",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affects the versions of ceph-iscsi-cli as shipped with Red Hat Ceph Storage 2 and 3. This flaw does not affect python-werkzeug library. It depends on if application uses python-werkzeug library with debug mode enabled.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.noarch",
          "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-14649"
        },
        {
          "category": "external",
          "summary": "RHBZ#1632078",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1632078"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14649",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-14649"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14649",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14649"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/articles/3623521",
          "url": "https://access.redhat.com/articles/3623521"
        }
      ],
      "release_date": "2018-09-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2018-10-01T15:13:30+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.noarch",
            "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2018:2838"
        },
        {
          "category": "workaround",
          "details": "To stop werkzeug debug mode started by rbd-target-api which is provided by ceph-iscsi-cli:\n\n1. ~]# systemctl stop rbd-target-api\n\n2. ~]# vi /usr/bin/rbd-target-api\n\n# Start the API server\n...\n737     app.run(host=\u00270.0.0.0\u0027,\n738             port=settings.config.api_port,\n739             debug=True,       \u003c==== change this to debug=False\n                    use_evalex=False,   \u003c=== add this line to disable debugger code execution\n740             use_reloader=False,\n741             ssl_context=context)\n...\n\nafter changes it should be\n\n# Start the API server\n...\n737     app.run(host=\u00270.0.0.0\u0027,\n738             port=settings.config.api_port,\n739             debug=False, \n                    use_evalex=False,\n740             use_reloader=False,\n741             ssl_context=context)\n...\n\n3. ~]# systemctl start rbd-target-api\n\n4. Limit exposure of port 5000/tcp: This port should be opened to trusted hosts which require to run \u0027gwcli\u0027.",
          "product_ids": [
            "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.noarch",
            "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.noarch",
            "7Server-RHEL-7-RHCEPH-3.1-Tools:ceph-iscsi-cli-0:2.7-7.el7cp.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Critical"
        }
      ],
      "title": "ceph-iscsi-cli: rbd-target-api service runs in debug mode allowing for remote command execution"
    }
  ]
}

cve-2018-14649

Vulnerability from cvelistv5

Published

2018-10-09 17:00

Modified

2024-08-05 09:38

Severity ?

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions.

References

▼	URL	Tags
	https://access.redhat.com/articles/3623521	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/105434	vdb-entry, x_refsource_BID
	https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b	x_refsource_CONFIRM
	https://github.com/ceph/ceph-iscsi-cli/issues/120	x_refsource_CONFIRM
	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14649	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2018:2838	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2018:2837	vendor-advisory, x_refsource_REDHAT

Impacted products

Vendor

Product

Version

▼

[UNKNOWN]

ceph-iscsi-cli

Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:38:13.114Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/articles/3623521"
          },
          {
            "name": "105434",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/105434"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ceph/ceph-iscsi-cli/issues/120"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14649"
          },
          {
            "name": "RHSA-2018:2838",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2838"
          },
          {
            "name": "RHSA-2018:2837",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2837"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ceph-iscsi-cli",
          "vendor": "[UNKNOWN]",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-09-24T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-10T09:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://access.redhat.com/articles/3623521"
        },
        {
          "name": "105434",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/105434"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ceph/ceph-iscsi-cli/issues/120"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14649"
        },
        {
          "name": "RHSA-2018:2838",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2838"
        },
        {
          "name": "RHSA-2018:2837",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2837"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2018-14649",
    "datePublished": "2018-10-09T17:00:00",
    "dateReserved": "2018-07-27T00:00:00",
    "dateUpdated": "2024-08-05T09:38:13.114Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted