CVE-2022-24552
📋 TL;DR
This vulnerability allows authenticated non-root users to execute arbitrary commands with root privileges through the StarWind REST API. Attackers can inject malicious input into virtual disk manipulation commands that get passed directly to bash scripts. This affects StarWind SAN and NAS installations running vulnerable versions.
💻 Affected Systems
- StarWind SAN and NAS
📦 What is this software?
Nas by Starwindsoftware
San by Starwindsoftware
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root-level command execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.
Likely Case
Privilege escalation from authenticated user to root, enabling complete control over the StarWind system and potentially connected storage.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized users from reaching the REST API.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated due to direct command injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.2 build 1634 or later
Vendor Advisory: https://www.starwindsoftware.com/security/sw-20220203-0001/
Restart Required: Yes
Instructions:
1. Download latest version from StarWind support portal. 2. Backup configuration. 3. Apply update via StarWind management interface. 4. Restart services.
🔧 Temporary Workarounds
Disable REST API
linuxTemporarily disable the vulnerable REST API endpoint until patching is possible.
systemctl stop starwind-rest-api
systemctl disable starwind-rest-api
Network Access Control
linuxRestrict network access to StarWind REST API using firewall rules.
iptables -A INPUT -p tcp --dport 3261 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 3261 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate StarWind systems from untrusted networks.
- Apply principle of least privilege to user accounts and monitor for suspicious REST API activity.
🔍 How to Verify
Check if Vulnerable:
Check StarWind version via management interface or CLI: starwind-versionCheck Version:
starwind-versionVerify Fix Applied:
Confirm version is v0.2 build 1634 or later and test REST API commands with input validation.📡 Detection & Monitoring
Log Indicators:
- Unusual REST API requests with shell metacharacters
- Multiple failed authentication attempts followed by successful REST calls
- Commands executed with root privileges from non-root users
Network Indicators:
- Unusual outbound connections from StarWind system
- Traffic to REST API port (default 3261) from unexpected sources
SIEM Query:
source="starwind" AND (http_method="POST" OR http_method="PUT") AND (uri="/api/virtual-disk" OR uri="/api/disk") AND (request_body CONTAINS "$" OR request_body CONTAINS "|" OR request_body CONTAINS ";")