Quantum StorNext Web GUI API Unauthorized Access and Remote Code Execution Vulnerability

A vulnerability in the Quantum StorNext Web GUI API prior to version 7.2.4 allows unauthorized access to internal StorNext configuration and the unauthorized modification of certain software configuration parameters using undocumented user credentials. This vulnerability also affects StorNext RYO and Xcellis Workflow Director versions prior to 7.2.4, as well as all versions of ActiveScale Cold Storage.

Impact

Exploitation of this vulnerability could lead to unauthorized access and modification of StorNext configuration, and potentially allow for arbitrary remote code execution on the server.

Reproduction

To reproduce this vulnerability, use a device that can execute curl commands and has access to the StorNext GUI. First, check if the GUI is accessible by sending a request to the default port (443) and looking for a 'Response Code: 200'. If the GUI is accessible, send a request to the 'rest/systemcontrol/status' endpoint using the 'wsuser' credentials. A 'Response Code: 200' indicates that the StorNext instance is vulnerable.

Remediation

Quantum recommends upgrading to StorNext version 7.2.4 or applying the available mitigation. The mitigation involves downloading a patch script from the Quantum Insight repository, executing it on the StorNext server, and reversing the process if High Availability configuration is needed.