CVE-2021-32518
📋 TL;DR
This vulnerability in QSAN Storage Manager's share_link function allows remote attackers to create symbolic links and access arbitrary files on the system. It affects QSAN Storage Manager installations before version 3.3.3. Attackers can potentially read sensitive files or escalate privileges.
💻 Affected Systems
- QSAN Storage Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file read/write, potentially leading to credential theft, data exfiltration, or privilege escalation to root/admin access.
Likely Case
Unauthorized access to sensitive configuration files, user data, or system files that could enable further attacks or information disclosure.
If Mitigated
Limited impact with proper network segmentation and access controls, potentially only allowing access to non-critical files.
🎯 Exploit Status
Remote exploitation is possible without authentication. The vulnerability is in a specific function that handles symbolic links.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.3.3
Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-4874-79edc-1.html
Restart Required: Yes
Instructions:
1. Download QSAN Storage Manager v3.3.3 from official vendor sources. 2. Backup current configuration and data. 3. Install the update following vendor documentation. 4. Restart the Storage Manager service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable share_link functionality
linuxTemporarily disable or restrict access to the vulnerable share_link feature until patching can be completed.
# Check QSAN documentation for specific disable commands
# Typically involves modifying configuration files or disabling specific services
Network isolation
linuxRestrict network access to QSAN Storage Manager to trusted internal networks only.
iptables -A INPUT -p tcp --dport [QSAN_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [QSAN_PORT] -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted IP addresses only.
- Monitor file access logs for unusual symbolic link creation or file access patterns.
🔍 How to Verify
Check if Vulnerable:
Check the QSAN Storage Manager version via web interface or command line. Versions before 3.3.3 are vulnerable.Check Version:
# Check via web interface at https://[QSAN_IP]:[PORT] or check service logs for version informationVerify Fix Applied:
Verify the version shows 3.3.3 or higher after update. Test share_link functionality to ensure symbolic link attacks are prevented.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns via share_link
- Multiple failed symbolic link creation attempts
- Access to system files from Storage Manager logs
Network Indicators:
- Unusual traffic patterns to share_link endpoints
- Multiple requests attempting file path traversal
SIEM Query:
source="QSAN_Storage_Manager" AND (event="file_access" OR event="symlink_creation") AND (file_path CONTAINS "/etc/" OR file_path CONTAINS "/root/")