Vulnerability Details : CVE-2018-14649
Potential exploit
It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions.
Products affected by CVE-2018-14649
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ceph_storage:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ceph-iscsi-cli:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-14649
64.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-14649
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
Red Hat, Inc. |
CWE ids for CVE-2018-14649
-
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Assigned by: secalert@redhat.com (Primary)
References for CVE-2018-14649
-
https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b
rbd-target-api: disable the built-in werkzeug debugger by dillaman · Pull Request #121 · ceph/ceph-iscsi-cli · GitHubPatch;Vendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14649
1632078 – (CVE-2018-14649) CVE-2018-14649 ceph-iscsi-cli: rbd-target-api service runs in debug mode allowing for remote command executionIssue Tracking;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:2838
RHSA-2018:2838 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:2837
RHSA-2018:2837 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
http://www.securityfocus.com/bid/105434
Redhat Ceph Storage CVE-2018-14649 Remote Command Injection VulnerabilityThird Party Advisory;VDB Entry
-
https://access.redhat.com/articles/3623521
CVE-2018-14649 - ceph-iscsi-cli: rbd-target-api service runs in debug mode allowing for remote command execution - Red Hat Customer PortalMitigation;Patch;Vendor Advisory
-
https://github.com/ceph/ceph-iscsi-cli/issues/120
rbd-target-api.py exploited. · Issue #120 · ceph/ceph-iscsi-cli · GitHubExploit;Third Party Advisory
Jump to