cnvd - cnvd-2019-02477

cnvd-2019-02477

Vulnerability from cnvd

Title: Red Hat Ceph Storage ceph-isci-cli包远程命令注入漏洞

Description:

Red Hat Ceph Storage是美国红帽（Red Hat）公司的一套可扩展的、开放性的软件定义存储平台。ceph-isci-cli是其中的一个命令行程序。

Red Hat Ceph Storage 2版本和3版本中的ceph-isci-cli包存在安全漏洞。攻击者可利用该漏洞访问调试shell并提升权限，进而以运行该应用程序用户的权限执行任意命令。

Severity: 高

Patch Name: Red Hat Ceph Storage ceph-isci-cli包远程命令注入漏洞的补丁

Patch Description:

Red Hat Ceph Storage是美国红帽（Red Hat）公司的一套可扩展的、开放性的软件定义存储平台。ceph-isci-cli是其中的一个命令行程序。

Red Hat Ceph Storage 2版本和3版本中的ceph-isci-cli包存在安全漏洞。攻击者可利用该漏洞访问调试shell并提升权限，进而以运行该应用程序用户的权限执行任意命令。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b

Reference: https://access.redhat.com/articles/3623521

Impacted products

Name
Red Hat Ceph Storage

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "105434"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-14649"
    }
  },
  "description": "Red Hat Ceph Storage\u662f\u7f8e\u56fd\u7ea2\u5e3d\uff08Red Hat\uff09\u516c\u53f8\u7684\u4e00\u5957\u53ef\u6269\u5c55\u7684\u3001\u5f00\u653e\u6027\u7684\u8f6f\u4ef6\u5b9a\u4e49\u5b58\u50a8\u5e73\u53f0\u3002ceph-isci-cli\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u547d\u4ee4\u884c\u7a0b\u5e8f\u3002\n\nRed Hat Ceph Storage 2\u7248\u672c\u548c3\u7248\u672c\u4e2d\u7684ceph-isci-cli\u5305\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u8c03\u8bd5shell\u5e76\u63d0\u5347\u6743\u9650\uff0c\u8fdb\u800c\u4ee5\u8fd0\u884c\u8be5\u5e94\u7528\u7a0b\u5e8f\u7528\u6237\u7684\u6743\u9650\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002",
  "discovererName": "Sam Fowler",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-02477",
  "openTime": "2019-01-22",
  "patchDescription": "Red Hat Ceph Storage\u662f\u7f8e\u56fd\u7ea2\u5e3d\uff08Red Hat\uff09\u516c\u53f8\u7684\u4e00\u5957\u53ef\u6269\u5c55\u7684\u3001\u5f00\u653e\u6027\u7684\u8f6f\u4ef6\u5b9a\u4e49\u5b58\u50a8\u5e73\u53f0\u3002ceph-isci-cli\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u547d\u4ee4\u884c\u7a0b\u5e8f\u3002\r\n\r\nRed Hat Ceph Storage 2\u7248\u672c\u548c3\u7248\u672c\u4e2d\u7684ceph-isci-cli\u5305\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u8c03\u8bd5shell\u5e76\u63d0\u5347\u6743\u9650\uff0c\u8fdb\u800c\u4ee5\u8fd0\u884c\u8be5\u5e94\u7528\u7a0b\u5e8f\u7528\u6237\u7684\u6743\u9650\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Red Hat Ceph Storage ceph-isci-cli\u5305\u8fdc\u7a0b\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Red Hat Ceph Storage"
  },
  "referenceLink": "https://access.redhat.com/articles/3623521",
  "serverity": "\u9ad8",
  "submitTime": "2018-10-12",
  "title": "Red Hat Ceph Storage ceph-isci-cli\u5305\u8fdc\u7a0b\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2018-14649 (GCVE-0-2018-14649)

Vulnerability from cvelistv5

Published

2018-10-09 17:00

Modified

2024-08-05 09:38

Severity ?

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-77

Summary

It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions.

References

▼	URL	Tags
	https://access.redhat.com/articles/3623521	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/105434	vdb-entry, x_refsource_BID
	https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b	x_refsource_CONFIRM
	https://github.com/ceph/ceph-iscsi-cli/issues/120	x_refsource_CONFIRM
	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14649	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2018:2838	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2018:2837	vendor-advisory, x_refsource_REDHAT

Impacted products

	Vendor	Product	Version
	[UNKNOWN]	ceph-iscsi-cli	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:38:13.114Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/articles/3623521"
          },
          {
            "name": "105434",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/105434"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ceph/ceph-iscsi-cli/issues/120"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14649"
          },
          {
            "name": "RHSA-2018:2838",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2838"
          },
          {
            "name": "RHSA-2018:2837",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2837"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ceph-iscsi-cli",
          "vendor": "[UNKNOWN]",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-09-24T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-10T09:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://access.redhat.com/articles/3623521"
        },
        {
          "name": "105434",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/105434"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ceph/ceph-iscsi-cli/issues/120"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14649"
        },
        {
          "name": "RHSA-2018:2838",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2838"
        },
        {
          "name": "RHSA-2018:2837",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2837"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2018-14649",
    "datePublished": "2018-10-09T17:00:00",
    "dateReserved": "2018-07-27T00:00:00",
    "dateUpdated": "2024-08-05T09:38:13.114Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted