It was found that rbd-target-api service provided by ceph-iscsi-cli was running in debug mode. An unauthenticated attacker could use this to remotely execute arbitrary code and escalate privileges.
To stop werkzeug debug mode started by rbd-target-api which is provided by ceph-iscsi-cli:
1. ~]# systemctl stop rbd-target-api
2. ~]# vi /usr/bin/rbd-target-api
…
737 app.run(host='0.0.0.0',
738 port=settings.config.api_port,
739 debug=True, <==== change this to debug=False
use_evalex=False, <=== add this line to disable debugger code execution
740 use_reloader=False,
741 ssl_context=context)
…
after changes it should be
…
737 app.run(host='0.0.0.0',
738 port=settings.config.api_port,
739 debug=False,
use_evalex=False,
740 use_reloader=False,
741 ssl_context=context)
…
3. ~]# systemctl start rbd-target-api
4. Limit exposure of port 5000/tcp: This port should be opened to trusted hosts which require to run 'gwcli'.