CVE-2018-14649
published 2018-10-09CVE-2018-14649: It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting…
PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
11.65%
95.5th percentile
It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| redhat | ceph_storage | — | — |
| redhat | ceph_storage | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect the rbd-target-api service running with the Werkzeug debug shell enabled by monitoring for the debug=True flag in /usr/bin/rbd-target-api at the app.run() call site. ↗
- →Monitor for unauthenticated inbound connections to TCP port 5000 targeting the rbd-target-api / python-werkzeug debug console, which would indicate exploitation attempts. ↗
- →Alert on the rbd-target-api process spawning unexpected child processes or executing shell commands, as successful exploitation results in arbitrary command execution with root privileges. ↗
- →Check for the presence of the Werkzeug interactive debugger PIN challenge/response HTTP traffic on port 5000, which is characteristic of the debug console being exposed. ↗
- ·The vulnerability is introduced by a misconfiguration in the application code, not in the python-werkzeug library itself. The library is only exploitable when the consuming application sets debug=True. ↗
- ·The service binds on all interfaces (0.0.0.0) by default, maximising exposure. The use_evalex=False parameter must also be added alongside debug=False to fully disable debugger code execution. ↗
- ·Affected scope is limited to ceph-iscsi-cli as shipped with Red Hat Ceph Storage 2 and 3; other distributions or upstream packages may differ. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
ceph-iscsi-cli: rbd-target-api service runs in debug mode allowing for remote command execution
vendor_redhat·2018-09-24·CVSS 9.8
CVE-2018-14649 [CRITICAL] CWE-77 ceph-iscsi-cli: rbd-target-api service runs in debug mode allowing for remote command execution
ceph-iscsi-cli: rbd-target-api service runs in debug mode allowing for remote command execution
It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permission
GHSA
GHSA-vq9p-965j-5xf8: It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode
ghsa_unreviewed·2022-05-13
CVE-2018-14649 [CRITICAL] CWE-77 GHSA-vq9p-965j-5xf8: It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode
It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions.
No detection rules found.
No public exploits indexed.
http://www.securityfocus.com/bid/105434https://access.redhat.com/articles/3623521https://access.redhat.com/errata/RHSA-2018:2837https://access.redhat.com/errata/RHSA-2018:2838https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14649https://github.com/ceph/ceph-iscsi-cli/issues/120https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6bhttp://www.securityfocus.com/bid/105434https://access.redhat.com/articles/3623521https://access.redhat.com/errata/RHSA-2018:2837https://access.redhat.com/errata/RHSA-2018:2838https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14649https://github.com/ceph/ceph-iscsi-cli/issues/120https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b
2018-10-09
Published