Intel Raid Web Console 3 DISCOVERY Denial of Service

Summary

An exploitable denial of service vulnerability exists in the web API functionality of Intel Raid Web Console 3. A specially crafted request can cause the LSA.exe service to exit, resulting in a denial of service. A remote unauthenticated attacker can send a malicious POST request to trigger this vulnerability.

Tested Versions

Intel Raid Web Console 3 v007.009.011.000

Product URLs

Intel Raid Web Console 3 Download

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-20 Improper Input Validation https://cwe.mitre.org/data/definitions/20.html

Details

Intel® RAID Web Console 3 (RWC3) software is a web-based application that performs monitoring,maintaining, troubleshooting and configuration functions for the Intel RAID products. The RWC3 graphicaluser interface (GUI) simplifies the viewing of an existing server hardware configuration, as well as creating and managing storage configurations.

The binary used for this vulnerability is below:

Image path: C:\Program Files (x86)\LSI\LSIStorageAuthority\bin\HTTP.dll
Image name: HTTP.dll
Browse all global symbols  functions  data
Timestamp:        Fri Jan 11 00:10:36 2019 (5C384F7C)
CheckSum:         00039A00
ImageSize:        00032000
File version:     7.9.11.0
Product version:  7.9.11.0

The vulnerable endpoint is /LSI/Storage/MR/API/1.0/servers/serverid/operations/DISCOVERY. This endpoint is meant to add new intel raid servers to the intel gateway. One example request is below:

POST /LSI/Storage/MR/API/1.0/servers/00:aa:bb:12:04:da/operations/DISCOVERY HTTP/1.1
Host: 192.168.31.128:2463
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.31.128:2463/ui/remoteserver/index.html?locale=en
Content-Type: application/json
Content-Length: 84
Connection: close

{"action":"SEARCH", "parameters":{"address":"192.168.31.1", "isIndirectAgent":true}}

The address 192.168.31.1 will be sent an http GET /ui/, if the response code is 200 then the server is added to the gateway. A request with no JSON body will cause the process to call _invalid_parameter_noinfo.

HTTP+0x508a
.text:0000508A                 cmp     edi, [eax+0Ch]
.text:0000508D                 ja      short loc_5095
.text:0000508F                 call    ds:_invalid_parameter_noinfo

This causes in the LSA.exe service to terminate resulting in a denial of service.

Timeline

2019-10-28 - Initial contact
2019-11-05 - 2nd contact; Vendor acknowledged & assigned PSIRT reference
2019-11-19 - Vendor requested disclosure extension for March timeline
2020-03-10 - Vendor confirmed mitigations
2020-03-24 - Public Release