ID CVE-2020-8688 Type cve Reporter cve@mitre.org Modified 2020-08-19T17:34:00
Description
Improper input validation in the Intel(R) RAID Web Console 3 for Windows* may allow an unauthenticated user to potentially enable denial of service via network access.
{"talos": [{"lastseen": "2020-09-30T22:44:12", "bulletinFamily": "info", "cvelist": ["CVE-2020-8688"], "description": "# Talos Vulnerability Report\n\n### TALOS-2019-0894\n\n## Intel Raid Web Console 3 add server denial-of-service vulnerability\n\n##### March 24, 2020\n\n##### CVE Number\n\nCVE-2020-8688\n\n### Summary\n\nA remote, exploitable denial-of-service vulnerability exists in the web API functionality of Intel Raid Web Console 3. A specially crafted request can lead to a null pointer dereference in the Intel Raid Web Console server. This would result in a denial of service until the user restarts LSA.exe. A remote unauthenticated attacker can send a POST request to trigger this vulnerability.\n\n### Tested Versions\n\nIntel Raid Web Console 3 v007.009.011.000\n\n### Product URLs\n\n[Intel Raid Web Console 3 Download](<https://downloadcenter.intel.com/download/28781/Intel-RAID-Web-Console-3-for-Windows->)\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-476: NULL Pointer Dereference\n\n### Details\n\nIntel RAID Web Console 3 (RWC3) software is a web-based application that monitors, maintains, troubleshoots and configures functions for Intel RAID products. The RWC3 graphical user interface (GUI) simplifies the viewing of an existing server hardware configuration, as well as creating and managing storage configurations.\n\nThe modules involved in this vulnerability are:\n \n \n Image path: C:\\Program Files (x86)\\LSI\\LSIStorageAuthority\\bin\\PluginManager.dll\n Image name: PluginManager.dll\n Browse all global symbols functions data\n Timestamp: Fri Jan 11 00:57:22 2019 (5C385A72)\n CheckSum: 006A30EA\n ImageSize: 006A5000\n File version: 7.9.11.0\n Product version: 7.9.11.0\n \n Image path: C:\\Program Files (x86)\\LSI\\LSIStorageAuthority\\bin\\HTTP.dll\n Image name: HTTP.dll\n Browse all global symbols functions data\n Timestamp: Fri Jan 11 00:10:36 2019 (5C384F7C)\n CheckSum: 00039A00\n ImageSize: 00032000\n File version: 7.9.11.0\n Product version: 7.9.11.0\n \n\nOne of the features of Intel RAID web API is the ability to add servers to the product for monitoring. One example of the parameters for this endpoint responsible for adding servers is:\n \n \n {\"action\":\"ADD\", \"parameters\":{\"server\":\"/lsi/storage/mr/api/1.0/servers/192.168.31.1\"}}\n \n\nIn this case, the `/api/1.0/servers` in the server parameter assumes that there is already an active session with the client and the application will use this session to query for the asked server of `192.168.31.1`. With this active session, the cookie for this session is queried.\n \n \n PluginManager+0x3bdad6\n .text:003BDAD6 mov edx, [eax]\n .text:003BDAD8 mov ecx, eax\n .text:003BDADA mov eax, [edx+30h]\n .text:003BDADD call eax ; Call to http::FCGIHTTPCommand::getSessionCookie\n \n\nThe session ID is then retrieved from the newly received SessionCookie object.\n \n \n PluginManager+0x3bdadf\n .text:003BDADF mov ecx, eax ; this\n .text:003BDAE1 call ?getSessionId@SessionCookie@http@@QBEABVSessionID@2@XZ ; http::SessionCookie::getSessionId(void)\n \n HTTP+0x17540\n .text:00017540 lea eax, [ecx+74h]\n .text:00017543 retn\n \n\nThe original session is returned by looking for a cookie called SESSIONID [0]. If this cookie is not found, the session returns as zero [1].\n \n \n .text:00008BD6 mov ecx, [edi+58h]\n .text:00008BD9 sub ecx, [edi+54h]\n .text:00008BDC sar ecx, 2\n .text:00008BDF cmp ebp, ecx\n .text:00008BE1 jb short loc_8BE9\n .text:00008BE3 call ds:_invalid_parameter_noinfo\n .text:00008BE9\n .text:00008BE9 mov edx, [edi+54h]\n .text:00008BEC mov ebx, [edx+ebp*4]\n .text:00008BEF mov eax, [ebx]\n .text:00008BF1 mov edx, [eax+4]\n .text:00008BF4 mov ecx, ebx\n .text:00008BF6 call edx\n .text:00008BF8 test eax, eax\n .text:00008BFA jnz short loc_8C23\n .text:00008BFC mov eax, offset aHttpCookieGetN ; \"http::Cookie::get_name\"\n .text:00008C01 lea esi, [esp+0D8h+var_C8]\n .text:00008C05 call sub_3070\n .text:00008C0A mov ecx, esi ; this\n .text:00008C0C call ??1formatted_log_t@utils@@UAE@XZ ; utils::formatted_log_t::~formatted_log_t(void)\n .text:00008C11 push offset aSessionid ; \"SESSIONID\" ; [0]\n .text:00008C16 lea ecx, [ebx+4]\n .text:00008C19 call ds:?compare@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEHPBD@Z \n .text:00008C1F test eax, eax\n .text:00008C21 jz short loc_8C3B\n .text:00008C23\n .text:00008C23 mov eax, [edi+58h]\n .text:00008C26 sub eax, [edi+54h]\n .text:00008C29 inc ebp\n .text:00008C2A sar eax, 2\n .text:00008C2D cmp ebp, eax\n .text:00008C2F jb short loc_8BD6\n .text:00008C31 \n .text:00008C31 xor eax, eax ; [1]\n .text:00008C33 pop edi\n .text:00008C34 pop esi\n .text:00008C35 pop ebp\n .text:00008C36 pop ebx\n .text:00008C37 mov esp, ebp\n .text:00008C39 pop ebp\n .text:00008C3A retn\n \n\nWhen the non-existent session cookie is attempted to be parsed, the small offset from null is dereferenced instead, causing a null pointer. This causes the server to crash and results in a denial of service.\n\n### Crash information\n \n \n 0:010> g\n eax=00000000 ebx=02b1b2e8 ecx=02b1b2e8 edx=005d0000 esi=02b1b2e8 edi=00000074\n eip=6fd7633a esp=02b1b190 ebp=02b1b19c iopl=0 nv up ei pl nz na po nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202\n MSVCP90!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::assign+0x10:\n 6fd7633a 394714 cmp dword ptr [edi+14h],eax ds:002b:00000088=????????\n \n\n### Timeline\n\n2019-10-28 - Initial contact \n2019-11-05 - 2nd contact; Vendor acknowledged & assigned PSIRT reference \n2019-11-19 - Vendor requested disclosure extension for March timeline \n2020-03-10 - Vendor confirmed mitigations \n2020-03-24 - Public Release\n\n##### Credit\n\nDiscovered by Geoff Serrao and Cory Duplantis of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2020-1039\n\nPrevious Report\n\nTALOS-2019-0914\n", "edition": 9, "modified": "2020-03-24T00:00:00", "published": "2020-03-24T00:00:00", "id": "TALOS-2019-0894", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0894", "title": "Intel Raid Web Console 3 add server denial-of-service vulnerability", "type": "talos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-08-20T13:36:32", "bulletinFamily": "info", "cvelist": ["CVE-2020-8688"], "description": "# Talos Vulnerability Report\n\n### TALOS-2019-0914\n\n## Intel Raid Web Console 3 DISCOVERY Denial of Service\n\n##### March 24, 2020\n\n##### CVE Number\n\nCVE-2020-8688\n\n### Summary\n\nAn exploitable denial of service vulnerability exists in the web API functionality of Intel Raid Web Console 3. A specially crafted request can cause the LSA.exe service to exit, resulting in a denial of service. A remote unauthenticated attacker can send a malicious POST request to trigger this vulnerability.\n\n### Tested Versions\n\nIntel Raid Web Console 3 v007.009.011.000\n\n### Product URLs\n\n[Intel Raid Web Console 3 Download](<https://downloadcenter.intel.com/download/28781/Intel-RAID-Web-Console-3-for-Windows->)\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-20 Improper Input Validation https://cwe.mitre.org/data/definitions/20.html\n\n### Details\n\nIntel\u00ae RAID Web Console 3 (RWC3) software is a web-based application that performs monitoring,maintaining, troubleshooting and configuration functions for the Intel RAID products. The RWC3 graphicaluser interface (GUI) simplifies the viewing of an existing server hardware configuration, as well as creating and managing storage configurations.\n\nThe binary used for this vulnerability is below:\n \n \n Image path: C:\\Program Files (x86)\\LSI\\LSIStorageAuthority\\bin\\HTTP.dll\n Image name: HTTP.dll\n Browse all global symbols functions data\n Timestamp: Fri Jan 11 00:10:36 2019 (5C384F7C)\n CheckSum: 00039A00\n ImageSize: 00032000\n File version: 7.9.11.0\n Product version: 7.9.11.0\n \n\nThe vulnerable endpoint is /LSI/Storage/MR/API/1.0/servers/serverid/operations/DISCOVERY. This endpoint is meant to add new intel raid servers to the intel gateway. One example request is below:\n \n \n POST /LSI/Storage/MR/API/1.0/servers/00:aa:bb:12:04:da/operations/DISCOVERY HTTP/1.1\n Host: 192.168.31.128:2463\n User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\n Accept: */*\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: https://192.168.31.128:2463/ui/remoteserver/index.html?locale=en\n Content-Type: application/json\n Content-Length: 84\n Connection: close\n \n {\"action\":\"SEARCH\", \"parameters\":{\"address\":\"192.168.31.1\", \"isIndirectAgent\":true}}\n \n\nThe address 192.168.31.1 will be sent an http GET /ui/, if the response code is 200 then the server is added to the gateway. A request with no JSON body will cause the process to call _invalid_parameter_noinfo.\n \n \n HTTP+0x508a\n .text:0000508A cmp edi, [eax+0Ch]\n .text:0000508D ja short loc_5095\n .text:0000508F call ds:_invalid_parameter_noinfo\n \n\nThis causes in the LSA.exe service to terminate resulting in a denial of service.\n\n### Timeline\n\n2019-10-28 - Initial contact \n2019-11-05 - 2nd contact; Vendor acknowledged & assigned PSIRT reference \n2019-11-19 - Vendor requested disclosure extension for March timeline \n2020-03-10 - Vendor confirmed mitigations \n2020-03-24 - Public Release\n\n##### Credit\n\nDiscovered by Geoff Serrao of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2019-0894\n\nPrevious Report\n\nTALOS-2019-0954\n", "edition": 3, "modified": "2020-03-24T00:00:00", "published": "2020-03-24T00:00:00", "id": "TALOS-2019-0914", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0914", "title": "Intel Raid Web Console 3 DISCOVERY Denial of Service", "type": "talos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}
