Privilege escalation in Red Hat Ceph Storage

1) Incorrect default permissions

EUVDB-ID: #VU72630

Risk: Low

CVSSv4.0: 7.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Clear]

CVE-ID: CVE-2022-3650

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to ceph-crash.service runs the ceph-crash Python script with root privileges. The script is operating in the directory /var/lib/ceph/crash which is controlled by the unprivileged ceph user. A local user can inject arbitrary data into the crash dump and force the privileged script to write that file into an arbitrary location on the system, resulting in privilege escalation.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat Enterprise Linux for x86_64: 8.0 - 9

Ceph: before 16.2.10-138.el8cp

cephadm-ansible (Red Hat package): before 1.11.0-1.el8cp

CPE2.3

• cpe:2.3:o:red_hat:red_hat_enterprise_linux:8.0:*:*:*:*:*:*:*
• cpe:2.3:o:red_hat:red_hat_enterprise_linux:9:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ceph:*:*:*:*:*:*:*:*
• cpe:2.3:o:red_hat:cephadm-ansible_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*

External links

https://access.redhat.com/errata/RHSA-2023:0980

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.