CVE-2021-1497: Cisco HyperFlex HX Auth Handling Remote Command Execution
June 23, 2021 | Trend Micro Research TeamIn this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Kc Udonsi and Yazhi Wang of the Trend Micro Research Team detail a recent code execution vulnerability in the Cisco HyperFlex HX Data Platform. The bug was originally discovered by Nikita Abramov and Mikhail Klyuchnikov of Positive Technologies. The following is a portion of their write-up covering CVE-2021-1497, with a few minimal modifications.
Cisco HyperFlex HX Data Platform is a high-performance, extensible distributed file system that supports multiple hypervisors with a wide range of enterprise-grade data management and optimization services. A remote code execution vulnerability has been reported in the product due to improper input sanitization.
A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the web-based management interface of the target server. Successful exploitation could lead to the execution of arbitrary code in the context of the root user. Cisco patched this vulnerability in May 2021.
The Vulnerability
Cisco HyperFlex HX Data Platform Installer uses an HTTP-based web console. It is accessible through the following address:
https://<server_name>
Where <server_name> is the name of the machine on which Cisco HyperFlex HX is installed. HTTP is a request/response protocol described in RFCs 7230 - 7237 and other RFCs. A request is sent by a client to a server, which in turn sends a response back to the client. An HTTP request consists of a request line, various headers, an empty line, and an optional message body:
where CRLF represents the line terminator sequence consisting of a Carriage Return (CR) character followed by a Line Feed (LF) character, and SP represents a space character. Parameters can be passed from the client to the server as name-value pairs in either the Request-URI or in the message-body, depending on the Method used and Content-Type header. For example, a simple HTTP request passing a parameter named “param” with value “1”, using the GET method might look like this:
A similar request using the POST method might look like this:
If there is more than one parameter/value pair, they are encoded as &-delimited name=value pairs:
var1=value1&var2=value2&var3=value3...
Remote users can submit a request to the /auth/ endpoint of the Cisco HyperFlex HX server to authenticate themselves before installation operations. Below is an example of a request submitted to /auth/ to perform a system restore-and-reboot operation:
The frontend NGINX server will forward the HTTP request to the backend HTTP server listening on TCP/8082:
The HTTP server is implemented in an ELF executable file /opt/springpath/auth/auth. When it receives an HTTP request sent to the /auth/ endpoint, it will call the function main_loginHandler() to handle the request. The function will first extract the salt value from the line of /etc/shadow file using the provided username value from the HTTP request. Then it will call the function main_validatePassword() to validate the user-supplied password. This function finally calls main_checkHash() function. To calculate the hash value of the supplied password, this function uses generated Python code as follows:
python -c 'import crypt; print crypt.crypt("<somePass>", "<salt>")'
Here <somePass> is the password supplied in the HTTP request and <salt> is the value extracted from the /etc/shadow file.
A Python code injection vulnerability exists here. The code fails to correctly validate the value of password before using it to generate the Python code string. An attacker can include Python command injection characters in the value of the password parameter to inject arbitrary Python code. For example, a value like the following:
implies the generated Python code will be like:
Therefore, the OS command COMMAND will be executed when the generated Python code is called.
A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the target server. Successful exploitation can result in the execution of arbitrary commands in the security context of the root user.
Conclusion
Cisco patched this vulnerability in May 2021. In their advisory, they mention there are no workarounds. Affected customers should apply the vendor patch to ensure they are protected from this vulnerability.
Special thanks to Kc Udonsi and Yazhi Wang of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit http://go.trendmicro.com/tis/.
The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the ZDI team for the latest in exploit techniques and security patches.