Quantum StorNext Web GUI API Arbitrary Remote Code Execution Vulnerability

A vulnerability allowing arbitrary remote code execution has been identified in the Quantum StorNext Web GUI API, affecting versions prior to 7.2.4. This vulnerability arises from the unauthorized upload of files, which can be exploited to execute malicious code remotely. The issue is present in StorNext RYO and Xcellis Workflow Director components, as well as in all versions of ActiveScale Cold Storage.

Impact

Exploitation of this vulnerability allows for arbitrary remote code execution on the affected system.

Reproduction

To reproduce this vulnerability, upload a file through the StorNext Web GUI API. This can be done by sending a request to the 'rest/systemcontrol/status' endpoint with the 'wsuser' credentials. If the upload is successful, the response will indicate that the vulnerability has been exploited.

Remediation

Users are advised to upgrade to StorNext version 7.2.4 or later. For those using Xcellis Workflow Directors, it is recommended to apply the available mitigation before upgrading to version 7.2.4.