Select Page

StoneFly SCVM Vulnerability:

CVE-2024-30213

StoneFly Storage Concentrator Virtual Machine (SCVM) versions before 8.0.4.26 have a command injection vulnerability (CWE-77). This vulnerability allows attackers who have already gained access to the system (authenticated users) to inject malicious code through a seemingly harmless function: the Ping URL.

Vulnerability Type

CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

Attack Vectors

An authenticated user submits a specially crafted URL request to the Network Ping utility with a parameter containing an escaped shell command.

Attack Type

Remote

Affected Products

Storage Concentrator (SC) versions 8.0.4.25 and earlier.

Storage Concentrator Virtual Machine (SCVM) versions 8.0.4.25 and earlier.

Affected Component

The Network Ping utility on the Network GUI pages.

Remediation

StoneFly recommends upgrading to version 8.0.4.26 or later immediately. This update addresses the vulnerability and protects your system.

Acknowledgement

Credit to David Glenn Baylon at Aon Cyber Labs ([email protected]) for discovering this, and responsibly reporting and working with us!

Exploitation

StoneFly, Inc. is not aware of any malicious use of this vulnerability in the wild.