CVE-2022-0670
📋 TL;DR
This vulnerability in OpenStack Manila's Ceph filesystem integration allows a share owner to read or write any Manila share or the entire filesystem, compromising data confidentiality and integrity. It affects systems using Ceph Manager's volumes plugin with Manila. The flaw enables unauthorized access to shared filesystem resources.
💻 Affected Systems
- OpenStack Manila
- Ceph
- Red Hat Ceph Storage
📦 What is this software?
Ceph by Linuxfoundation
Ceph by Linuxfoundation
Ceph by Linuxfoundation
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all Manila shares and underlying Ceph filesystem data, allowing data theft, modification, or destruction across the entire storage infrastructure.
Likely Case
Unauthorized access to sensitive files in shared storage, potentially exposing confidential data or allowing data manipulation within accessible shares.
If Mitigated
Limited impact with proper access controls and monitoring, but still represents a significant privilege escalation risk within the storage system.
🎯 Exploit Status
Exploitation requires authenticated access as a Manila share owner, making it an insider threat or privilege escalation vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Ceph 17.2.2, RHCS 5.2
Vendor Advisory: https://ceph.io/en/news/blog/2022/v17-2-2-quincy-released/
Restart Required: Yes
Instructions:
1. Update Ceph to version 17.2.2 or later. 2. Update Red Hat Ceph Storage to version 5.2 or later. 3. Restart Ceph Manager services. 4. Verify Manila integration functionality post-update.
🔧 Temporary Workarounds
Disable vulnerable Manila-Ceph integration
linuxTemporarily disable Manila shares using Ceph backend until patching is possible
# Disable Manila shares using Ceph backend
# Check Manila configuration for Ceph references and disable affected shares
🧯 If You Can't Patch
- Implement strict access controls and monitoring on Manila share owners
- Isolate affected systems from sensitive data and implement network segmentation
🔍 How to Verify
Check if Vulnerable:
Check Ceph version with 'ceph version' and verify if below 17.2.2, or check RHCS version if using Red Hat distribution.Check Version:
ceph versionVerify Fix Applied:
Confirm Ceph version is 17.2.2 or higher with 'ceph version', and test Manila share access controls to ensure proper isolation.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to Manila shares
- Multiple share access attempts from single owner accounts
- Ceph Manager volume plugin errors or unexpected operations
Network Indicators:
- Increased Manila API calls from share owner accounts
- Unusual data transfer patterns between shares
SIEM Query:
source="ceph.log" OR source="manila.log" AND ("volume plugin" OR "share access") AND (error OR unauthorized OR unexpected)🔗 References
- https://ceph.io/en/news/blog/2022/v17-2-2-quincy-released/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5O3XMDFZWA2FWU6GAYOVSFJPOUTXN42N/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TIRTTRG5O4YP2TNGDCDOHIHP2DM3DFBT/
- https://ceph.io/en/news/blog/2022/v17-2-2-quincy-released/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5O3XMDFZWA2FWU6GAYOVSFJPOUTXN42N/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TIRTTRG5O4YP2TNGDCDOHIHP2DM3DFBT/
