H3C Magic Products Command Injection Vulnerability

A critical command injection vulnerability has been identified in several H3C Magic products, including the NX15, NX30 Pro, NX400, R3010, and BE18000 models, all through version V100R014. The vulnerability resides in the HTTP POST request handler, specifically within the 'FCGI_CheckStringIfContainsSemicolon' function of the '/api/wizard/getBasicInfo' endpoint. Exploitation of this vulnerability allows unauthorized users to execute commands on the affected device with elevated privileges. The issue can only be exploited from within the local network.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the affected device with elevated privileges.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/wizard/getBasicInfo' endpoint with a payload that includes a semicolon. This can be done using a tool like curl or Postman. The request must be sent from within the local network.

Remediation

Users are advised to upgrade to the latest version of the affected software. The upgrade is available on the H3C website.