StorNext GUI - Multiple Security Vulnerabilities

SUMMARY
Two high-severity security vulnerabilities have been identified in the StorNext GUI API. The GUI API is part of the StorNext firmware installed on Xcellis Workflow Directors (StorNext MDCs). When the two vulnerabilities are combined, StorNext is exposed to potential Remote Code Execution (RCE). These vulnerabilities may be present in all currently supported versions of the StorNext GUI. Quantum strongly recommends upgrading or patching affected StorNext products. Workflow Directors installed within private, firewalled network environments may be less susceptible to external threats.

VULNERABLE QUANTUM PRODUCTS
The following Quantum products may be vulnerable if not updated or patched:

How can I tell if my StorNext GUI is vulnerable?

The instructions provided below should detect the vulnerability in the StorNext GUI if followed as written. Before you begin, choose a device on your network that has access to the StorNext GUI and that can execute a curl command
(the device should be Windows 10 or greater OR a Linux-based host with curl installed but not StorNext).

For a Microsoft® Windows 10 or greater device, open a Command Prompt window (it can be found in the start menu or via search in the task bar). On a Linux-based machine, open a command prompt.

1. In the command prompt, copy and paste the following command. Be sure to replace HOSTNAME with the StorNext network IP address and PORT with the correct port (the default port is 443).
        a.   curl -k -s -o /dev/null -w "Response code: %{http_code}\n" https://HOSTNAME:PORT/
2. If you see output that reads ‘Response Code: 200’ you may proceed to step 3. If you DO NOT see the ‘Response Code: 200’ output, then the device you have chosen may not have access to the StorNext GUI and cannot be used to check for vulnerability.
3. In the command prompt, run the following command. Be sure to replace the HOSTNAME and PORT values again.
        a.   curl -k -s -o /dev/null -w "Response code: %{http_code}\n"
              https://wsuser:wsuser@HOSTNAME:PORT/rest/systemcontrol/status
4. If you receive output that reads ‘Response Code: 401’ OR ‘Response Code: 403’, your StorNext is NOT exposed to the security vulnerability.
5. If you receive output that reads, ‘Response Code: 200’, your StorNext is exposed to the security vulnerability.

IMPACT
This security bulletin addresses two vulnerabilities in the StorNext GUI. The first vulnerability exposes the server to potential Arbitrary Remote Code Execution (RCE) by allowing the unauthorized upload of a file. The second vulnerability exposes internal StorNext configuration and unauthorized modification of some software configuration parameters using undocumented user credentials. Quantum strongly recommends that you upgrade your StorNext firmware or apply the mitigation documented below.

SOLUTION
Apply the mitigation plan below to a vulnerable StorNext GUI. Please be aware that if you plan to configure HA in StorNext, but have not yet done so, apply the mitigation AFTER the HA configuration is completed. More information is available below.

The mitigation script takes about 30 seconds to run. It will restart the webserver running the StorNext GUI. StorNext file systems are not affected by installation of the mitigation. If necessary, the mitigation can be easily reversed.

To apply the mitigation to your StorNext:

1. Log in to your StorNext server via ssh (stornext user)
2. Download stornext-mitigation.zip to the /tmp directory on each vulnerable StorNext server.
         a.   md5 checksum: 72af1ff6632ab3dd1bf1136fde9245d2
         b.   sha256 checksum: aafbc5c2094b4d96e8bc8dd8e34854e1e1eee761f58ed37c2d0be5dcbe516f76
3. Unzip the file contents.
4. Change directory to the security-patch directory.
5. Make the patch executable. Run 'chmod +x patch.sh'
6. Execute the patch.sh script. Run './patch.sh'

Sample output:
Backup /usr/adic/tomcat/webapps/ROOT/WEB-INF/web.xml to /usr/adic/tomcat/webapps/ROOT/WEBINF/web.xml.allow_uploads
Updating /usr/adic/tomcat/webapps/ROOT/WEB-INF/web.xml to disable uploads.
Upload REST API will be disabled after stornext_web service is restarted.
Copy RemoteWsUserValve.class to /usr/adic/tomcat/lib/com/quantum/rest/valve
Backup /usr/adic/tomcat/conf/server.xml to /usr/adic/tomcat/conf/server.xml.no_remote_wsuser_valve
Add RemoteWsUserValve directive to /usr/adic/tomcat/conf/server.xml
Restarting stornext_web service.
Upload REST API disabled.
RemoteWsUserValve installed.

If you see the output above, the mitigation has been successfully installed. To confirm that the vulnerability has been patched, you may use the “How can I tell if my StorNext GUI is vulnerable?” instructions provided earlier in this document.

The upcoming StorNext 7.2.4 release will also address these vulnerabilities. If you upgrade your StorNext after applying the mitigation, the mitigation will need to be reapplied if the version is less than 7.2.4 to ensure the server is protected.

Are there any side effects to the application of the mitigation?

Yes, there is a side effect of the mitigation that may affect some StorNext administrators. During the configuration of StorNext for High Availability (HA), the mitigation will cause an “Error scanning Secondary Node” error message and the HA setup will fail. If your StorNext is already configured for HA, there is no effect. It is only during HA configuration that the situation may arise.

To configure your StorNext for HA, you will need to temporarily disable the mitigation on the secondary node and then perform the HA configuration step. Quantum highly recommends re-applying the mitigation after HA is configured.

To disable the mitigation, perform the following steps:

1. Log in to your StorNext server via ssh (stornext user)
2. Download stornext-mitigation.zip to the /tmp directory on each StorNext server.
         a.   md5 checksum: 72af1ff6632ab3dd1bf1136fde9245d2
         b.   sha256 checksum: aafbc5c2094b4d96e8bc8dd8e34854e1e1eee761f58ed37c2d0be5dcbe516f76
3. Unzip the file contents.
4. Change directory to the security-patch directory.
5. Make the patch executable. Run 'chmod +x patch.sh'
6. Execute the patch.sh script with the ‘-u’ flag.
         a.   Run './patch.sh -u'
7. You will receive output that the mitigation has been removed/disabled.

The mitigation has been disabled and can be reapplied via the instructions above.

CONTACT INFORMATION
In North America, call 1-800-284-5101. In EMEA, call toll free +800-7826-8888 or direct +49 6131 324 185. In Asia Pacific, call +800-7826-8887. You will need your system serial number. For additional contact information, go to 
http://www.quantum.com/serviceandsupport/get-help/index.aspx#contact-support

CREDITS
Quantum would like to acknowledge and thank the following contributors who reported the security issues which we are addressing in this bulletin:
• Justine Osborne – Apple, Inc. Information Security