cbcvebase.
CVE-2018-14649
published 2018-10-09

CVE-2018-14649: It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting…

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
11.65%
95.5th percentile
It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions.

Affected

5 ranges
VendorProductVersion rangeFixed in
redhatceph_storage
redhatceph_storage
redhatenterprise_linux_desktop
redhatenterprise_linux_server
redhatenterprise_linux_workstation

Detection & IOCsextracted from sources · hover to see the quote

path/usr/bin/rbd-target-api
port5000/tcp
commanddebug=True
  • Detect the rbd-target-api service running with the Werkzeug debug shell enabled by monitoring for the debug=True flag in /usr/bin/rbd-target-api at the app.run() call site.
  • Monitor for unauthenticated inbound connections to TCP port 5000 targeting the rbd-target-api / python-werkzeug debug console, which would indicate exploitation attempts.
  • Alert on the rbd-target-api process spawning unexpected child processes or executing shell commands, as successful exploitation results in arbitrary command execution with root privileges.
  • Check for the presence of the Werkzeug interactive debugger PIN challenge/response HTTP traffic on port 5000, which is characteristic of the debug console being exposed.
  • ·The vulnerability is introduced by a misconfiguration in the application code, not in the python-werkzeug library itself. The library is only exploitable when the consuming application sets debug=True.
  • ·The service binds on all interfaces (0.0.0.0) by default, maximising exposure. The use_evalex=False parameter must also be added alongside debug=False to fully disable debugger code execution.
  • ·Affected scope is limited to ceph-iscsi-cli as shipped with Red Hat Ceph Storage 2 and 3; other distributions or upstream packages may differ.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.