CVE-2018-14649

Published: Oct 9, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions.

Affected (6)

Products: Redhat: Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Workstation, Ceph Storage, Ceph Iscsi Cli

5 products

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Workstation

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux Desktop	Version 7.0
Redhat Enterprise Linux Server	Version 7.0
Redhat Enterprise Linux Workstation	Version 7.0

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Ceph Storage	Version 2.0
Redhat Ceph Storage	Version 3.0

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Ceph Iscsi Cli	All versions

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (14)

http://www.securityfocus.com/bid/105434

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://access.redhat.com/articles/3623521

Source: secalert@redhat.com

MitigationPatchVendor Advisory

https://access.redhat.com/errata/RHSA-2018:2837

Source: secalert@redhat.com

Vendor Advisory

https://access.redhat.com/errata/RHSA-2018:2838

Source: secalert@redhat.com

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14649

Source: secalert@redhat.com

Issue TrackingVendor Advisory

https://github.com/ceph/ceph-iscsi-cli/issues/120

Source: secalert@redhat.com

ExploitThird Party Advisory

https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b

Source: secalert@redhat.com

PatchVendor Advisory

http://www.securityfocus.com/bid/105434

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://access.redhat.com/articles/3623521

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationPatchVendor Advisory

https://access.redhat.com/errata/RHSA-2018:2837

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://access.redhat.com/errata/RHSA-2018:2838

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14649

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

https://github.com/ceph/ceph-iscsi-cli/issues/120

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://github.com/ceph/ceph-iscsi-cli/pull/121/commits/c3812075e30c76a800a961e7291087d357403f6b

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.