It was found that rbd-target-api service provided by ceph-iscsi-cli was running in debug mode. An unauthenticated attacker could use this to remotely execute arbitrary code and escalate privileges.

Mitigation

To stop werkzeug debug mode started by rbd-target-api which is provided by ceph-iscsi-cli:

1. ~]# systemctl stop rbd-target-api

2. ~]# vi /usr/bin/rbd-target-api

Start the API server

…
737 app.run(host='0.0.0.0',
738 port=settings.config.api_port,
739 debug=True, <==== change this to debug=False
use_evalex=False, <=== add this line to disable debugger code execution
740 use_reloader=False,
741 ssl_context=context)
…

after changes it should be

Start the API server

…
737 app.run(host='0.0.0.0',
738 port=settings.config.api_port,
739 debug=False,
use_evalex=False,
740 use_reloader=False,
741 ssl_context=context)
…

3. ~]# systemctl start rbd-target-api

4. Limit exposure of port 5000/tcp: This port should be opened to trusted hosts which require to run 'gwcli'.