Appliance Controller API Authentication Vulnerability

SUMMARY
A critical security flaw may exist in certain StorNext Appliance Controller/NAS (versions 3.1.1 to 4.1.0) on Xcellis Workflow Directors (XWD), Xcellis Workflow Extenders (XWE), Roll Your Own (RYO) NAS, and H4000 (H4K) appliances. This vulnerability could allow network attackers to tamper with the NAS configuration and authentication.Quantum strongly recommends that all affected products be upgraded or patched immediately. Products installed within private, firewalled network environments may be less susceptible to external threats.

VULNERABLE QUANTUM PRODUCTS
The following Quantum products may be vulnerable if not updated or patched:

• Xcellis Workflow Directors and Extenders with Appliance Controller versions from 3.1.1 to 4.1.0. These Appliance Controller versions are typically found on StorNext versions 6.4.1 up to 7.2.2.
• NAS RYO systems running Appliance Controller/NAS 3.1.1 to 4.1.0.
• H-4000 appliances running with StorNext versions from 6.4.1 to 7.2.0 with Appliance Controller 3.1.1 to 4.1.0.

IMPACT
Exploitation of this vulnerability could allow a network actor to access confidential NAS configuration details or modify sensitive NAS settings, such as those pertaining to NAS shares and authentication. Quantum strongly advises upgrading your Appliance Controller to 4.1.1 or implementing the mitigation steps provided below on your existing environment immediately

CAN I CHECK A SYSTEM FOR VULNERABILITY?
Follow these instructions precisely to detect the Appliance Controller vulnerability. 

Before You Begin:

• - has network access to your system running Appliance Controller or RYO NAS.
• - can execute `curl` commands (e.g., Windows 10+, or a Linux host with curl installed – do not use the same host that you are checking for vulnerability)
  

Instructions:

• - Open a command prompt (Windows 10+) or a terminal (Linux).
• - Copy, paste, and execute the following command into the prompt (replace “Host” and “Port” field with the details in your environment):
• • curl -k https://HOSTNAME:PORT/api/is_mdc
    •  HOSTNAME with your Appliance Controller/NAS server’s IP address or hostname.
    •  PORT with the Appliance Controller’s port (default port is 33777)

How to interpret the Results:

• - Your Appliance Controller / NAS is NOT exposed if you see:
  • curl: (52) Empty reply from server

• - Your Appliance Controller / NAS is NOT exposed if you see output similar to::
  • {"response": "","error_code": 5061,"error_message": "Your IP address '10.65.190.235' is not allowed"}

• - Your Appliance Controller / NAS IS exposed and vulnerable if you see output similar to:
• {"response": {"mdc": false}, "error_code": 0, "error_message": ""}

SOLUTION
A mitigation plan is available for affected Appliance Controller/NAS systems so that they can be patched immediately.
Subsequent releases of each affected product will also mitigate the software vulnerability.

Mitigation Plan for Vulnerable StorNext Appliance Controllers:
Instructions for applying the mitigation to each vulnerable Appliance Controller/NAS system are provided below. The 
mitigation script should run in less than 30 seconds and will restart the Appliance Controller during the process. 
Importantly, performance of your StorNext file systems should not be affected

Instructions:

1. 1.Log in to your XWD, XWE, or H4000 Xcellis VM via SSH as the `stornext` user or RYO NAS server as `root`.
   1. a. You must have root privileges to execute the mitigation. If you log in with the `stornext` user on Xcellis, escalate to root privileges using ‘sudo rootsh’ and reenter your password.
2. 2.Download ‘controller-mitigation.zip’ to the ‘/tmp’ directory.
   1. a. MD5 Checksum: fb903926615bf0124c2f92c04f7a5df9
   2. b. SHA256 Checksum: 75f757b2e8d0f9a94cac71772d37784362e8174bde57c57cc5c0f729dbf9106e
3. 3.Unzip the file contents.
4. 4.Change your directory to the newly created ‘mitigation’ directory.
5. 5.Execute the patch script by running ‘./controller_mitigation.sh’.

Mitigation result:
When the mitigation script completes, the following output should appear:
patching file middleware.py
Done

If you see this output, the mitigation has been successfully installed. You can confirm the patch by repeating the "Can 
I check a system for vulnerability?" instructions in this document.

Important Notes:

• - The recent Appliance Controller 4.1.1 release permanently resolves this authentication vulnerability.
• - This mitigation is not required for StorNext 7.2.4 or Appliance Controller running 4.1.1 or greater.
• - If you upgrade your StorNext to a version older than 7.2.4 after applying this mitigation, you'll need to 
  reapply the mitigation to ensure your server remains protected.

Side Effects:
As of the time of publication, there are no known side effects from applying this mitigation.

CONTACT INFORMATION
In North America, call 1-800-284-5101. In EMEA, call toll free +800-7826-8888 or direct +49 6131 324 185. In Asia Pacific, call 
+800-7826-8887. You will need your system serial number. For additional contact information, go to 
http://www.quantum.com/serviceandsupport/get-help/index.aspx#contact-support