CVE-2021-42080
📋 TL;DR
This vulnerability allows attackers to execute reflected cross-site scripting (XSS) attacks via specially crafted URLs in OSnexus QuantaStor storage systems. Attackers can inject malicious scripts that execute in victims' browsers when they visit manipulated links. Organizations running vulnerable OSnexus QuantaStor web interfaces are affected.
💻 Affected Systems
- OSnexus QuantaStor
📦 What is this software?
Quantastor by Osnexus
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative access to the storage system, and potentially compromise stored data or use the system as a pivot point into internal networks.
Likely Case
Attackers steal session cookies or credentials from authenticated users, leading to unauthorized access to the storage management interface and potential data exposure.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching user browsers, preventing exploitation.
🎯 Exploit Status
The proof-of-concept demonstrates trivial exploitation via URL manipulation. No authentication required to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.7.2.3 and later
Vendor Advisory: https://www.osnexus.com/products/software-defined-storage
Restart Required: Yes
Instructions:
1. Backup configuration and data. 2. Download QuantaStor version 5.7.2.3 or later from OSnexus. 3. Apply the update through the web interface or command line. 4. Restart the QuantaStor service or system.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to filter malicious requests before they reach the QuantaStor interface.
Network Segmentation
linuxRestrict access to port 8153 to trusted management networks only using firewall rules.
iptables -A INPUT -p tcp --dport 8153 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 8153 -j DROP
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
- Monitor access logs for suspicious patterns like repeated requests with script tags or onerror attributes.
🔍 How to Verify
Check if Vulnerable:
Access https://<IP>:8153/qstorapi/echo?inputMessage=<test> and check if the input is reflected without proper encoding in the response.Check Version:
Check the web interface dashboard or run 'qs --version' on the QuantaStor system.Verify Fix Applied:
After patching, test the same URL; the input should be properly encoded or filtered in the response.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /qstorapi/echo with suspicious parameters containing script tags, onerror, or alert()
Network Indicators:
- Unusual traffic patterns to port 8153 with URL-encoded script payloads
SIEM Query:
source="quantaStor_logs" AND uri="/qstorapi/echo" AND (param="inputMessage" AND value MATCHES "<script|onerror|alert")🔗 References
- https://csirt.divd.nl/CVE-2021-42080
- https://csirt.divd.nl/DIVD-2021-00020/
- https://www.osnexus.com/products/software-defined-storage
- https://www.wbsec.nl/osnexus
- https://csirt.divd.nl/CVE-2021-42080
- https://www.divd.nl/DIVD-2021-00020
- https://www.osnexus.com/products/software-defined-storage
- https://www.wbsec.nl/osnexus
