Two flaws in the web interface of a Fujitsu cloud storage system could allow an unauthenticated attacker to read, write, and destroy backed up files.
The security vulnerabilities were present in the enterprise-grade Fujitsu Eternus CS8000 (Control Center) V8.1.
Researchers from NCC Group found two separate issues due to a lack of user input validation in two PHP scripts, which are normally included post-authentication.
Both flaws, a command injection in grel.php and a command injection in hw_view.php, could allow an attacker to gain remote code execution on the appliance without prior authentication or authorization.
As no include-guards are in-place, the attacker is able to trigger the script without prior authentication by calling it directly.
This would enable them to take control over the appliance as if they were logged in directly via a secure shell.
“If exploited, the attacker obtains limited user privileges on the machine as the ‘www-data’ user; however, it should be noted that the Kernel on the system which NCC Group’s Fox-IT encountered is severely outdated, allowing an attacker to easily escalate their privileges to the administrative ‘root’ user of the system,” a blog post from NCC Group reads.
“Due to the sensitive nature of the system, any attacker with full control over the system is potentially able to read, modify and potentially destroy the entire virtual backup tapes, which could be used as an initial stage of a ransomware attack to ensure the victim is not able to recover and is forced to pay the ransom.”
Patch now
The issues were discovered during a penetration test conducted by NCC Group on behalf of a client. They were then reported to Fujitsu, which has since patched the bugs (PDF).
Fujitsu said it has “no knowledge” of any working exploit code, and has seen no successful attempts to exploit the vulnerabilities in the wild.
NCC Group advised users to upgrade to the latest version of the software immediately. It has also listed other recommendations to mitigate the bugs in the blog post.
The Daily Swig has reached out to both NCC Group and Fujitsu for comment and will update this article accordingly.
