Login Sign Up

CVE-2022-32268

8.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2022-32268 allows remote code execution in StarWind SAN and NAS via a command injection vulnerability in the REST API. Attackers with non-root user access can inject arbitrary commands that execute with root privileges by manipulating the hostname parameter. This affects StarWind SAN and NAS v0.2 build 1914 installations.

💻 Affected Systems

Products:
  • StarWind SAN and NAS
Versions: v0.2 build 1914
Operating Systems: Linux-based StarWind OS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires access to the REST API endpoint. Default installations with network exposure are vulnerable.

📦 What is this software?

Starwind San \& Nas by Starwindsoftware

View all CVEs affecting Starwind San \& Nas →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level access, allowing data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Attacker gains full administrative control over the storage system, potentially accessing sensitive data and disrupting storage operations.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthorized users from reaching the REST API.

🌐 Internet-Facing: HIGH - If the REST API is exposed to the internet, attackers can exploit this without internal access.
🏢 Internal Only: HIGH - Even internally, any user with access to the REST API can escalate to root privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires existing user access to the REST API. The vulnerability is straightforward command injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.2 build 1915 or later

Vendor Advisory: https://www.starwindsoftware.com/security/sw-20220531-0001/

Restart Required: Yes

Instructions:

1. Download the latest version from StarWind support portal. 2. Backup configuration and data. 3. Install the update following vendor documentation. 4. Restart the system.

🔧 Temporary Workarounds

Restrict REST API Access

linux

Limit network access to the REST API endpoint using firewall rules.

iptables -A INPUT -p tcp --dport [REST_API_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [REST_API_PORT] -j DROP

Disable Unnecessary REST API

linux

If REST API functionality is not required, disable it completely.

systemctl stop [starwind_rest_api_service]
systemctl disable [starwind_rest_api_service]

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate StarWind systems from untrusted networks.
  • Apply principle of least privilege to user accounts and monitor for suspicious REST API activity.

🔍 How to Verify

Check if Vulnerable:

Check the installed version via StarWind management interface or CLI. If version is v0.2 build 1914, the system is vulnerable.

Check Version:

starwind-cli --version or check via web management interface

Verify Fix Applied:

Verify the version is updated to v0.2 build 1915 or later and test that hostname changes via REST API properly validate input.

📡 Detection & Monitoring

Log Indicators:

  • Unusual hostname change requests in REST API logs
  • Suspicious command execution in system logs

Network Indicators:

  • Unexpected connections to REST API port from unauthorized sources
  • Anomalous outbound connections from StarWind system

SIEM Query:

source="starwind.log" AND ("hostname change" OR "REST API injection")

📊 Metadata

CVE ID: CVE-2022-32268
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: June 3, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON