Two flaws in the web interface due to a lack of user input validation in two PHP scripts of a Fujitsu Eternus CS8000 V8.1 could allow an unauthenticated attacker to read, write, and destroy backed-up files.
Both flaws, a command injection in grel.php and a command injection in hw_view.php, could allow an attacker to gain remote code execution on the appliance without prior authentication or authorization.
As no include-guards are in-place, the attacker can trigger the script without prior authentication by calling it directly. This would enable them to take control over the appliance as if they were logged in directly via a secure shell.
If exploited, the attacker obtains limited user privileges on the machine as the ‘www-data’ user; allowing an attacker to easily escalate their privileges to the administrative ‘root’ user of the system due to the outdated kernel.
An attacker with full control over the system is potentially able to read, modify and potentially destroy the entire virtual backup tapes, which could be used as an initial stage of a ransomware attack to ensure the victim is not able to recover and is forced to pay the ransom.
Fujitsu said it has no knowledge of any working exploit code and has seen no successful attempts to exploit the vulnerabilities in the wild. Users to upgrade to the latest version of the software immediately. It has also listed other recommendations to mitigate the bugs in the blog post.
The issues were discovered during a penetration test conducted by NCC Group on behalf of a client.