Dell ML6000 and Quantum Scalar i500 tape backup system command injection vulnerability

Overview

Dell ML6000 and Quantum Scalar i500 tape backup system contain a command injection vulnerability.

Description

CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Dell’s and Quantum’s advisories state the following:

The tape library’s remote user interface “logViewer.htm” page can be exploited by a remote attacker’s pre-authentication and result in library firmware shell access and code execution. A conditional path in the main function of the “logViewer.htm” file, normally used to view supported system log files, could be exploited such that a remote attacker could request unauthenticated code execution without proper login.
Due to the logViewer html page accepting POST requests that identified the path to a log file intended to be viewed or e-mailed and such parameter data being used directly in shell commands to prepare the viewing or e-mail send operation, a specific manipulation of such POST request could result in command execution at the user level of the web server. Higher privilege level commands cannot be executed since the web server is not started at root level and therefore elevated privileges cannot be exploited except for a few commands that are granted via sudo file access. However, it is possible to exploit the shell connection and gain admin access to the web console by monitoring the ‘/tmp/’ directory of the embedded system as the web portal stores its session data in the /tmp/ directory and an attacker monitoring such directory until an administrator logged in could copy the session data to gain admin access.

---

Impact

Dell’s and Quantum’s advisories state the following:

An attacker with access to the remote user interface, or logviewer.htm URL, can execute shell commands and store and retrieve files on/from certain but not all directory locations of the tape library controller’s flash file system. The vulnerable function is part of a conditional path in the main function of the “logViewer.htm” file. This file is used normally to view the various log files on the system and includes the ability to email log files to a supplied email address. This exploit can be issued without logging into the machine giving a remote attacker the ability of unauthenticated code execution.

---

Solution

Upgrade

Dell has released firmware update i8.2.0.2 (641G.GS103) to address this vulnerability. Affected users are advised to upgrade to firmware i8.2.0.2 (641G.GS103) or later.

Quantum has released firmware update i8.2.2.1 (646G.GS002) to address this vulnerability. Affected users are advised to upgrade to firmware i8.2.2.1 (646G.GS002) or later.

---

Restrict Access

As a general good security practice, only allow connections from trusted hosts and networks.

---

Vendor Information

Quantum Scalar i500 firmware versions i8.2.2 (645G.GS004) and below are affected.
Dell ML6000 firmware version i8.2.0.1 (641G.GS003) and below are affected.

---

124908

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Dell Computer Corporation, Inc. __ Affected

Notified: April 14, 2014 Updated: May 30, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Dell has released firmware update i8.2.0.2 (641G.GS103) to address this vulnerability. Affected users are advised to upgrade to firmware i8.2.0.2 (641G.GS103) or later.

Vendor References

• http://www.dell.com/support/drivers/us/en/19/DriverDetails/Product/powervault-ml6000?driverId=XCC7W&osCode=WNET&fileId=3369748178&languageCode=en&categoryId=TA

Quantum __ Affected

Notified: April 14, 2014 Updated: May 30, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Quantum has released firmware update i8.2.2.1 (646G.GS002) to address this vulnerability. Affected users are advised to upgrade to firmware i8.2.2.1 (646G.GS002) or later.

Vendor References

• <http://www.quantum.com/serviceandsupport/softwareanddocumentationdownloads/si500/index.aspx&gt;

CVSS Metrics

Group	Score	Vector
Base	9	AV:N/AC:L/Au:N/C:C/I:P/A:P
Temporal	7.4	E:F/RL:OF/RC:C
Environmental	6.3	CDP:MH/TD:M/CR:ND/IR:ND/AR:ND

References

• http://www.dell.com/support/drivers/us/en/19/DriverDetails/Product/powervault-ml6000?driverId=XCC7W&osCode=WNET&fileId=3369748178&languageCode=en&categoryId=TA
• [ http://www.quantum.com/serviceandsupport/softwareanddocumentationdownloads/si500/index.aspx](< http://www.quantum.com/serviceandsupport/softwareanddocumentationdownloads/si500/index.aspx&gt;)

Acknowledgements

Thanks to Benjamin Buchanan for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs:	CVE-2014-2959
Date Public:	2014-05-15 Date First Published: