A privilege elevating remote code execution vulnerability was discovered in the cloud data management platform of SoftNAS Incorporated as outlined in a security bulletin published by the company itself. The vulnerability is found to exist in the web administration console which allows malicious hackers to execute arbitrary code with root permissions bypassing the need for authorization. The issue particularly presents itself in the endpoint snserv script within the platform responsible for the verification and execution of such tasks. The vulnerability has been allotted the label CVE-2018-14417.
CoreSecurity SDI Corporation’s SoftNAS Cloud is an enterprise-geared network-stimulated data storage system that provides cloud support to some of the biggest vendors such as Amazon Web Services and Microsoft Azure whilst maintaining an impressive portfolio of clients such as Netflix Inc., Samsung Electronics Co. Ltd., Toyota Motor Co., The Coca-Cola Co., and The Boeing Co. The storage service supports NFS, CIFS / SMB, iSCSI, and AFP file protocols and makes for the most thorough and controlled enterprise storage and data service solution in this manner. This vulnerability, however, elevates user permissions to allow a remote hacker to execute malicious commands in the target server. As there is no authentication mechanism set up in the endpoint and the snserv script does not sanitize the input before carrying out the operation, the hacker is able to follow through without the need for any session verification. Since the webserver operates on a Sudoer user, the hacker can obtain root permissions and complete access to execute any malicious code. This vulnerability is both locally and remotely exploitable and is graded at a critical risk of exploit.
This vulnerability was brought to CoreSecurity SDI Corporation’s attention in May and has since been addressed in an advisory published on the security firm’s website. An update for SoftNAS has also been released. Users are requested to upgrade their systems to this latest version: 4.0.3 to mitigate the consequences of an unauthorized malicious code injection attack.