Sysadmins should update their installations immediately
UPDATED Two flaws in the web interface of a Fujitsu cloud storage system could allow an unauthenticated attacker to read, write, and destroy backed up files.
The security vulnerabilities were present in the enterprise-grade Fujitsu Eternus CS8000 (Control Center) V8.1.
Researchers from NCC Group found two separate issues due to a lack of user input validation in two PHP scripts, which are normally included post-authentication.
Both flaws, a command injection in grel.php and a command injection in hw_view.php, could allow an attacker to gain remote code execution on the appliance without prior authentication or authorization.
As no include-guards are in-place, the attacker is able to trigger the script without prior authentication by calling it directly.
This would enable them to take control over the appliance as if they were logged in directly via a secure shell.
“If exploited, the attacker obtains limited user privileges on the machine as the ‘www-data’ user; however, it should be noted that the Kernel on the system which NCC Group’s Fox-IT encountered is severely outdated, allowing an attacker to easily escalate their privileges to the administrative ‘root’ user of the system,” a blog post from NCC Group reads.
“Due to the sensitive nature of the system, any attacker with full control over the system is potentially able to read, modify and potentially destroy the entire virtual backup tapes, which could be used as an initial stage of a ransomware attack to ensure the victim is not able to recover and is forced to pay the ransom.”
The issues were discovered during a penetration test conducted by NCC Group on behalf of a client. They were then reported to Fujitsu, which has since patched the bugs (PDF).
Fujitsu said it has “no knowledge” of any working exploit code, and has seen no successful attempts to exploit the vulnerabilities in the wild.
NCC Group advised users to upgrade to the latest version of the software immediately. It has also listed other recommendations to mitigate the bugs in the blog post.
A Fujitsu spokesperson told The Daily Swig: “The two vulnerabilities in Fujitsu ETERNUS CS8000 devices were successfully mitigated/fixed on June 1st, 2022. An update is available and the Fujitsu PSirt service facts on security notice (PDF) was published.
“Fujitsu customers using Fujitsu ETERNUS CS8000 were informed in a timely manner via several communication channels. In addition to the document mentioned above, a special Fujitsu service facts support bulletin SB-CS-2205 has also been published for our customers on the official Fujitsu extranet site.”
This article has been updated to include comment from Fujitsu.