Severe security vulnerabilities in the Fujitsu cloud storage system have exposed backups to unauthenticated attackers. In particular, the bug affected the FUJITSU ETERNUS CS8000 Control Center, which the vendors fortunately patched following the bug report. Therefore, users should make sure to update their devices to receive the patches.
Weaknesses in Fujitsu Cloud Storage
According to a recent post from NCC Group’s Fox-IT, the team discovered two different security vulnerabilities in the Fujitsu cloud storage system.
In particular, they found command injection flaws affecting the Fujitsu ETERNUS CS8000 (Control Center) while reviewing a client’s backup systems. They noticed the lack of validation of user input in the two PHP scripts that are commonly available after validation. As said,
The web-application used to manage the backups was inspected, which led NCC Group’s Fox-IT to discover the existence of two scripts, which can be accessed by any user on the network and pass user input directly to “ shell_exec ”and“ system ”functions.
One of the vulnerabilities affected "grel_finfo" function in grel.php, allowing an opponent to execute arbitrary commands. An attacker can achieve the desired results by tweaking the username (“user”), password (“pw”), and file-name (“file”) parameters with special characters.
While the second weakness exists in "requestTempFile" function in hw_view.phpallowing an opponent to change "unitName" POST parameters by special characters to execute codes.
Fujitsu fixed the Bugs
After discovering these vulnerabilities, the researchers contacted Fujitsu, which, in response, developed related fixes.
In their advisory, Fujitsu admitted that vulnerabilities typically affect older versions. While Fujitsu has released patches with Fujitsu ETERNUS CS8000 (Control Center) versions v8.1A SP02 P04 and v8.0A SP01 P03 H035.
So now, users should make sure to update to the latest versions to receive patches for these critical vulnerabilities. However, vendors encourage customers to contact customer support for assistance in getting these updates.
A dedicated customer request to Fujitsu via ServiceNow or Support Assistant is required, due to the software distribution model.
So far, Fujitsu has confirmed that it has found no evidence of vulnerability exploits in the wild.