StoneFly SCVM Vulnerability:
CVE-2024-30213
StoneFly Storage Concentrator Virtual Machine (SCVM) versions before 8.0.4.26 have a command injection vulnerability (CWE-77). This vulnerability allows attackers who have already gained access to the system (authenticated users) to inject malicious code through a seemingly harmless function: the Ping URL.
Vulnerability Type
CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
Attack Vectors
An authenticated user submits a specially crafted URL request to the Network Ping utility with a parameter containing an escaped shell command.
Attack Type
Remote
Affected Products
Storage Concentrator (SC) versions 8.0.4.25 and earlier.
Storage Concentrator Virtual Machine (SCVM) versions 8.0.4.25 and earlier.
Affected Component
The Network Ping utility on the Network GUI pages.
Remediation
StoneFly recommends upgrading to version 8.0.4.26 or later immediately. This update addresses the vulnerability and protects your system.
Additional Information
Acknowledgement
Credit to David Glenn Baylon at Aon Cyber Labs ([email protected]) for discovering this, and responsibly reporting and working with us!
Exploitation
StoneFly, Inc. is not aware of any malicious use of this vulnerability in the wild.