ExaGrid EX10 Incorrect Access Control Vulnerability Allowing Unauthorized Privilege Escalation

A vulnerability in ExaGrid EX10 versions 6.3 through 7.0.1.P08 allows users with Admin roles to improperly create or modify accounts for users in the Security Officer role, bypassing established access controls. Since version 6.3, ExaGrid has required Admin users to obtain approval before assigning Security Officer roles. However, a flaw in the account creation process enables exploitation through manipulation of API requests. An Admin user can intercept and alter the request to assign a new account to the Security Officer group without the necessary approval.

Impact

Exploitation of this vulnerability leads to unauthorized creation of Security Officer accounts, allowing attackers to gain the highest level of access within the ExaGrid backup appliance. This access includes full control over backup operations, user management, encryption settings, and the ability to manipulate backup policies and access sensitive data.

Reproduction

To reproduce this vulnerability, an Admin user must send a POST request to the '/api/v1/sites/{uuid}/users' endpoint, using a valid JSESSIONIDSSO cookie and site UUID. The request can be intercepted and modified to assign the new user to the Security Officer group, bypassing the required approval process. This can be done using a Python script that automates the request manipulation.

Remediation

ExaGrid users should monitor for unauthorized users in the Security Officer group and invalidate any suspicious or stale sessions. Access to internal management interfaces should be restricted.