DIVD-2021-00020 - OSNexsus QuantaStor limited disclosure and product warning

Our reference DIVD-2021-00020
Case lead Frank Breedijk
Author Max van der Horst and Frank Breedijk
Researcher(s)
CVE(s)
Product OSNEXUS QuantaStor
Versions before v6.0.0.355
Recommendation Update to the latest version of OSNEXUS QuantaStor as soon as possible.
Patch status Unknown
Status Closed
Last modified 16 Nov 2023 17:31

Summary

DIVD researcher Wietse Boonstra discovered a total of six vulnerabilities in OSNEXUS QuantaStor. These vulnerabilities included a Server-Side Request Forgery, Remote Command Execution, Privilege Escalation and two Cross-Site Scripting vulnerabilities. Abuse of these vulnerabilities could lead to the compromise of your server.

Impact

By leveraging these vulnerabilities, an attacker could execute code on the webpage, make requests on the server’s behalf and gain root privilege on the server, potentially leading to total compromise of the environment.

What you can do

What we are doing

We have published this case file as a product warning given the lack of (visible) vendor cooperation. Based on our CNA guidelines we have given OSNexus ample time to acknowledge our findings (388 days) and ample time to fix the vulnerabilities (at least 6 months). And it is now time for a limited disclosure.

Timeline

Date Description
10 Aug 2021 Wietse Boonstra discovers six vulnerabilities.
07 Oct 2021 Five CVEs have been requested and assigned.
20 Oct 2021-
12 Nov 2022		 Time to acknowledge receipt of vulnerabilities.
20 Oct 2021 Disclosure process with OSNEXUS started.
28 Dec 2021 DIVD starts scanning for affected parties.
14 Oct 2022 Cooperation with NCSC-NL started.
28 Oct 2022 NCSC-NL again reaches out to OSNexus.
10 Nov 2022 NCSC-NL reaches out to OSNexus via US partners.
12 Nov 2022 OSNexus acknowledges receipt of report.
12 Nov 2022-
22 Nov 2022		 Time to fix other CVEs except CVE-2021-42080 and CVE-2021-42083.
15 Nov 2022 OSNexus promises a new release with 7 days that should fix vulnberabilities.
22 Nov 2022 OSNexus release version v6.0.0.355.
22 Nov 2022 DIVD confirms that release is still vulnerable to all CVEs but XSS cves CVE-2021-42080 and CVE-2021-42083.
05 Jul 2023 CVE-2021-4406 assigned.
10 Jul 2023 Given the lack of reaction DIVD decides to publish this case file en discloses limited vulnerability details.
16 Oct 2023 Case closed
gantt title DIVD-2021-00020 - OSNexsus QuantaStor limited disclosure and product warning dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00020 - OSNexsus QuantaStor limited disclosure and product warning (797 days) :2021-08-10, 2023-10-16 section Events Wietse Boonstra discovers six vulnerabilities. : milestone, 2021-08-10, 0d Five CVEs have been requested and assigned. : milestone, 2021-10-07, 0d Time to acknowledge receipt of vulnerabilities. (388 days) : 2021-10-20, 2022-11-12 Disclosure process with OSNEXUS started. : milestone, 2021-10-20, 0d DIVD starts scanning for affected parties. : milestone, 2021-12-28, 0d Cooperation with NCSC-NL started. : milestone, 2022-10-14, 0d NCSC-NL again reaches out to OSNexus. : milestone, 2022-10-28, 0d NCSC-NL reaches out to OSNexus via US partners. : milestone, 2022-11-10, 0d OSNexus acknowledges receipt of report. : milestone, 2022-11-12, 0d Time to fix other CVEs except CVE-2021-42080 and CVE-2021-42083. (10 days) : 2022-11-12, 2022-11-22 OSNexus promises a new release with 7 days that should fix vulnberabilities. : milestone, 2022-11-15, 0d OSNexus release version v6.0.0.355. : milestone, 2022-11-22, 0d DIVD confirms that release is still vulnerable to all CVEs but XSS cves CVE-2021-42080 and CVE-2021-42083. : milestone, 2022-11-22, 0d CVE-2021-4406 assigned. : milestone, 2023-07-05, 0d Given the lack of reaction DIVD decides to publish this case file en discloses limited vulnerability details. : milestone, 2023-07-10, 0d Case closed : milestone, 2023-10-16, 0d

More information