Extreme safety vulnerabilities within the Fujitsu cloud storage system uncovered backups to unauthenticated attackers. Particularly, the bug affected the FUJITSU ETERNUS CS8000 Management Middle, which happily the distributors patched following the bug report. Due to this fact, customers should guarantee updating their units to obtain the patches.
Fujitsu Cloud Storage Vulnerabilities
In accordance with a current post from the NCC Group’s Fox-IT, the crew found two completely different safety vulnerabilities within the Fujitsu cloud storage system.
Particularly, they discovered command injection flaws affecting the Fujitsu ETERNUS CS8000 (Management Middle) whereas inspecting a consumer’s backup techniques. They observed a scarcity of consumer enter validation in two PHP scripts usually out there post-authentication. As acknowledged,
The online-application used to handle the backups was inspected, which lead NCC Group’s Fox-IT to find the existence of two scripts, that are accessible by any consumer on the community and which move consumer enter on to the “shell_exec” and “system” features.
One of many vulnerabilities affected the "grel_finfo" perform in grel.php, permitting an adversary to execute arbitrary instructions. An attacker may obtain the specified outcomes by tweaking the username (“consumer”), password (“pw”), and file-name (“file”) parameters with particular characters.
Whereas the second vulnerability existed within the "requestTempFile" perform in hw_view.php, permitting an adversary to change "unitName" POST parameter through particular characters to execute codes.
Fujitsu Patched The Bugs
After discovering these vulnerabilities, the researchers contacted Fujitsu, which, in response, developed related fixes.
Of their advisory, Fujitsu admitted that the vulnerabilities usually affected older variations. Whereas Fujitsu launched the patches with Fujitsu ETERNUS CS8000 (Management Middle) variations v8.1A SP02 P04 and v8.0A SP01 P03 H035.
So now, customers ought to guarantee updating to the newest variations to obtain the patches for these essential vulnerabilities. Nonetheless, the distributors urge the purchasers to get in contact with buyer help for help in getting these updates.
A devoted buyer request to Fujitsu through ServiceNow or Assist Assistant is required, as a result of software program distribution mannequin.
For now, Fujitsu has confirmed to have discovered no proof of vulnerability exploits within the wild.