Threat Response – Vulnerabilities in Commvault Command Center

23-11-2021

A SAFE DIGITAL JOURNEY

On Monday November 22nd, Source Incite released information concerning a vulnerability, combining multiple bugs, in Commvault Command Center[1]. One of these bugs allows an unauthenticated attacker to read arbitrary files on the system. Due to the fact that the Commvault application writes sensitive information to its logfiles, this can be used to obtain administrative privileges. Using these privileges, an attacker is able to execute arbitrary commands on the underlying system. In this message, we want to warn you about the threat and inform you about the possible mitigation steps.

Description

The vulnerability is a combination of several bugs (CVE-2021-34993[2] and CVE-2021-34996[3]). The first bug (CVE-2021-34993) is an authentication bypass and a file disclosure. An unauthenticated attacker can abuse this bug to read arbitrary files on the system. Because, when requesting a password reset, the password-reset token is written to a logfile, it’s possible to obtain an account with administrative privileges. The second bug (CVE-2021-34993) allows an authenticated attacker to create a ‘workflow’. Using a workflow arbitrary commands can be executed on the underlying system using SYSTEM privileges. By combining these bugs, an unauthenticated attacker can effectively execute arbitrary commands on the underlying system.

Impact

An attacker that is able to abuse this vulnerability has the possibility to take full control of the system. Due to the nature of the Commvault application the disruption or corruption of backups is very likely. Therefore, we estimate the impact being high.

Risk

Source Incite released proof of concept code[4]. An unauthenticated attacker van use this to execute arbitrary code on the underlying system. Moreover, Commvault has not released any patches yet, making abuse very likely. Therefore, we estimate the risk being high.

Mitigation

Commvault has not yet released patches for this vulnerability. Therefore, it’s important to properly position the webinterface within the network, so it is only accessible to authorised users.

What will Northwave do?

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)

Sources

[1]: https://srcincite.io/blog/2021/11/22/unlocking-the-vault.html[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34993[3]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34996[4]: https://srcincite.io/pocs/cve-2021-%7B34993,34996%7D.py.txt

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.