CVE-2023-43040 is a vulnerability classified under CWE-1220 (Insufficient Granularity of Access Control) affecting IBM Spectrum Fusion HCI versions 2.5.2 through 2.7.2. The issue resides in the Ceph RADOS Gateway (RGW) component, which provides object storage functionality. Due to improper enforcement of bucket-level access controls, an attacker can perform unauthorized actions on Ceph buckets, potentially modifying stored data without proper authorization. The vulnerability does not allow data confidentiality breaches but impacts data integrity and causes limited availability impact. The CVSS v3.1 base score is 6.5 (medium), with attack vector network (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and low availability impact (A:L). This means exploitation is remotely possible but requires complex conditions, no authentication or user interaction is needed, and the attacker can alter data integrity. No public exploits or active exploitation have been reported to date. The vulnerability highlights a critical misconfiguration or design flaw in access control granularity within the RGW interface of IBM Spectrum Fusion HCI, which is used in enterprise hyperconverged infrastructure environments integrating Ceph storage. Organizations relying on this platform for object storage should be aware of the risk of unauthorized data manipulation and prepare to apply vendor patches or mitigations.

For European organizations, this vulnerability poses a risk primarily to data integrity within Ceph object storage environments managed by IBM Spectrum Fusion HCI. Unauthorized modification of stored objects could disrupt business operations, corrupt critical data, or undermine trust in stored information. Sectors such as finance, healthcare, government, and critical infrastructure that rely on IBM Spectrum Fusion HCI for scalable storage solutions could face operational disruptions or compliance issues if data integrity is compromised. Although confidentiality is not directly impacted, the ability to alter data without authorization can have cascading effects on data reliability and auditability. The medium severity rating reflects the complexity of exploitation but also the significant impact on integrity. Since no authentication is required, any exposed RGW endpoints accessible over the network could be targeted. European organizations with exposed or poorly segmented storage networks are at higher risk. The absence of known exploits reduces immediate threat but does not eliminate future risk, especially as threat actors may develop exploits once details are public.

1. Immediately review and restrict network access to the Ceph RGW endpoints, ensuring they are not exposed to untrusted networks or the internet. 2. Implement strict network segmentation and firewall rules to limit access to IBM Spectrum Fusion HCI management and storage interfaces only to authorized personnel and systems. 3. Monitor RGW access logs and audit trails for unusual or unauthorized bucket access patterns indicative of exploitation attempts. 4. Engage with IBM support to obtain patches or updates addressing this vulnerability as soon as they become available, and plan timely deployment. 5. Consider deploying additional access control mechanisms or proxy layers that enforce finer-grained authorization policies on bucket operations. 6. Conduct internal security assessments and penetration tests focusing on Ceph RGW access controls to identify and remediate any configuration weaknesses. 7. Educate system administrators on the importance of access control granularity and secure configuration of object storage components. 8. Maintain up-to-date inventory of affected IBM Spectrum Fusion HCI versions and plan upgrades to versions beyond 2.7.2 once patches are released.