प्लेटफ़ॉर्म
linux
घटक
ceph
में ठीक किया गया
17.2.8
18.2.2
19.0.1
CVE-2025-52555 is a privilege escalation vulnerability discovered in Ceph, a distributed storage platform. This flaw allows an unprivileged user to escalate their privileges to root within a CephFS environment mounted via ceph-fuse. The vulnerability impacts Ceph versions 17.2.1 through 19.2.2 and is addressed in versions 17.2.8, 18.2.5, and 19.2.3.
The impact of CVE-2025-52555 is significant due to the potential for complete system compromise. An attacker exploiting this vulnerability can gain root access on the host running the ceph-fuse client. This allows them to read, write, and execute arbitrary code, effectively taking control of the system. The vulnerability arises from a misconfiguration where an unprivileged user can modify the permissions of directories owned by root within a mounted CephFS. By changing the permissions to 777, the attacker bypasses normal access controls and gains unrestricted access. This could lead to data breaches, system disruption, and further lateral movement within the network.
While no public exploits are currently known, the vulnerability's ease of exploitation raises concerns. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept code is not yet available, but the simplicity of the attack suggests it could be developed quickly. The potential for widespread impact, given the prevalence of Ceph in enterprise environments, warrants careful attention.
Organizations heavily reliant on Ceph for storage, particularly those with environments where unprivileged users have access to ceph-fuse mounted file systems, are at risk. Shared hosting environments and deployments with overly permissive file permissions are especially vulnerable.
• linux / server:
journalctl -u ceph-fuse -g 'chmod 777' | grep -i 'permission granted'• linux / server:
find /mnt/cephfs -type d -user root -perm 777• linux / server:
ps aux | grep ceph-fuse | grep -i 'chmod 777'Public Disclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (7% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-52555 is to upgrade Ceph to a patched version: 17.2.8, 18.2.5, or 19.2.3. If an immediate upgrade is not possible, a temporary workaround is to restrict the ability of unprivileged users to modify file permissions within the ceph-fuse mounted directories. This can be achieved through access control lists (ACLs) or other permission management tools. Additionally, monitor ceph-fuse processes for unusual activity and implement intrusion detection systems (IDS) to detect attempts to modify file permissions. After upgrading, verify the fix by attempting to chmod a root-owned directory to 777 and confirming that the operation is denied.
Actualice Ceph a las versiones 17.2.8, 18.2.5 o 19.2.3, o a una versión posterior. Esto corrige la vulnerabilidad de escalada de privilegios en CephFS montado con Fuse. La actualización evitará que usuarios sin privilegios escalen a privilegios de root.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-52555 is a medium severity vulnerability in Ceph versions 17.2.1–19.2.2 that allows unprivileged users to gain root access by manipulating file permissions.
You are affected if you are running Ceph versions 17.2.1 through 19.2.2 and have not upgraded to a patched version (17.2.8, 18.2.5, or 19.2.3).
Upgrade Ceph to version 17.2.8, 18.2.5, or 19.2.3. As a temporary workaround, restrict unprivileged user permissions on ceph-fuse mounted directories.
No active exploitation has been confirmed, but the vulnerability's simplicity suggests potential for exploitation.
Refer to the Ceph security advisory for detailed information and updates: [https://docs.ceph.com/en/latest/security/](https://docs.ceph.com/en/latest/security/)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।