Severe security vulnerabilities in the Fujitsu cloud storage system exposed backups to unauthenticated attackers. Specifically, the bug affected the FUJITSU ETERNUS CS8000 Control Center, which fortunately the vendors patched following the bug report. Therefore, users must ensure updating their devices to receive the patches.
Fujitsu Cloud Storage Vulnerabilities
According to a recent post from the NCC Group’s Fox-IT, the team discovered two different security vulnerabilities in the Fujitsu cloud storage system.
Specifically, they found command injection flaws affecting the Fujitsu ETERNUS CS8000 (Control Center) while inspecting a client’s backup systems. They noticed a lack of user input validation in two PHP scripts normally available post-authentication. As stated,
The web-application used to manage the backups was inspected, which lead NCC Group’s Fox-IT to discover the existence of two scripts, which are accessible by any user on the network and which pass user input directly to the “shell_exec” and “system” functions.
One of the vulnerabilities affected the "grel_finfo" function in grel.php, allowing an adversary to execute arbitrary commands. An attacker could achieve the desired results by tweaking the username (“user”), password (“pw”), and file-name (“file”) parameters with special characters.
Whereas the second vulnerability existed in the "requestTempFile" function in hw_view.php, allowing an adversary to modify "unitName" POST parameter via special characters to execute codes.
Fujitsu Patched The Bugs
After discovering these vulnerabilities, the researchers contacted Fujitsu, which, in response, developed relevant fixes.
In their advisory, Fujitsu admitted that the vulnerabilities typically affected older versions. Whereas Fujitsu released the patches with Fujitsu ETERNUS CS8000 (Control Center) versions v8.1A SP02 P04 and v8.0A SP01 P03 H035.
So now, users should ensure updating to the latest versions to receive the patches for these critical vulnerabilities. Nonetheless, the vendors urge the customers to get in touch with customer support for assistance in getting these updates.
A dedicated customer request to Fujitsu via ServiceNow or Support Assistant is required, due to the software distribution model.
For now, Fujitsu has confirmed to have found no evidence of vulnerability exploits in the wild.