cbcvebase.
CVE-2018-14701
published 2018-12-03

CVE-2018-14701: System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system…

PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.99%
97.1th percentile
System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
drobo5n2_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/DroboAccess/delete_user
commandGET /DroboAccess/delete_user?username=test';/usr/sbin/telnetd -l /bin/sh -p 8383
port8383
commandtelnetd -l $SHELL -p 8383
  • Monitor for outbound TCP connections to port 8383, which is the bind shell port spawned by the exploit payload (telnetd or DroboAccess injection).
  • Detect TCP traffic on ports 5000 and 5001 containing the 'DIRNETTM' (DRINETTTM) protocol magic bytes (44 52 49 4e 45 54 54 4d) as the Drobo NASd service handshake/command preamble, indicating exploitation of the NASd protocol.
  • Alert on process execution of /usr/sbin/telnetd with arguments '-l /bin/sh' or '-l $SHELL' on Drobo NAS devices, as this is the root bind shell payload used by the exploit.
  • Detect unauthenticated requests to /DroboAccess/delete_user — the endpoint requires no authentication, so any external access to it should be treated as suspicious.
  • ·The exploit affects Drobo 5N2 firmware version 4.1.1 and lower; newer firmware versions may also be vulnerable but were unverified at time of disclosure.
  • ·Most of the Drobo product line may be affected beyond the 5N2, but this was not verified by the researchers.
  • ·The NASd command port (5001) only functions after first connecting to the stat port (5000); detection logic should account for this two-port protocol flow.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.