Extreme safety vulnerabilities within the Fujitsu cloud storage system uncovered backups to unauthenticated attackers. Particularly, the bug affected the FUJITSU ETERNUS CS8000 Management Heart, which happily the distributors patched following the bug report. Due to this fact, customers should guarantee updating their gadgets to obtain the patches.
Fujitsu Cloud Storage Vulnerabilities
In keeping with a current put up from the NCC Group’s Fox-IT, the crew found two totally different safety vulnerabilities within the Fujitsu cloud storage system.
Particularly, they discovered command injection flaws affecting the Fujitsu ETERNUS CS8000 (Management Heart) whereas inspecting a shopper’s backup programs. They observed a scarcity of person enter validation in two PHP scripts usually accessible post-authentication. As acknowledged,
The online-application used to handle the backups was inspected, which lead NCC Group’s Fox-IT to find the existence of two scripts, that are accessible by any person on the community and which move person enter on to the “shell_exec” and “system” features.
One of many vulnerabilities affected the "grel_finfo"
operate in grel.php
, permitting an adversary to execute arbitrary instructions. An attacker might obtain the specified outcomes by tweaking the username (“person”), password (“pw”), and file-name (“file”) parameters with particular characters.
Whereas the second vulnerability existed within the "requestTempFile"
operate in hw_view.php
, permitting an adversary to switch "unitName"
POST parameter through particular characters to execute codes.
Fujitsu Patched The Bugs
After discovering these vulnerabilities, the researchers contacted Fujitsu, which, in response, developed related fixes.
Of their advisory, Fujitsu admitted that the vulnerabilities sometimes affected older variations. Whereas Fujitsu launched the patches with Fujitsu ETERNUS CS8000 (Management Heart) variations v8.1A SP02 P04 and v8.0A SP01 P03 H035.
So now, customers ought to guarantee updating to the most recent variations to obtain the patches for these essential vulnerabilities. Nonetheless, the distributors urge the purchasers to get in contact with buyer assist for help in getting these updates.
A devoted buyer request to Fujitsu through ServiceNow or Help Assistant is required, because of the software program distribution mannequin.
For now, Fujitsu has confirmed to have discovered no proof of vulnerability exploits within the wild.