CVE-2018-14701
published 2018-12-03CVE-2018-14701: System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system…
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.99%
97.1th percentile
System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drobo | 5n2_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for outbound TCP connections to port 8383, which is the bind shell port spawned by the exploit payload (telnetd or DroboAccess injection). ↗
- →Detect TCP traffic on ports 5000 and 5001 containing the 'DIRNETTM' (DRINETTTM) protocol magic bytes (44 52 49 4e 45 54 54 4d) as the Drobo NASd service handshake/command preamble, indicating exploitation of the NASd protocol. ↗
- →Alert on process execution of /usr/sbin/telnetd with arguments '-l /bin/sh' or '-l $SHELL' on Drobo NAS devices, as this is the root bind shell payload used by the exploit. ↗
- →Detect unauthenticated requests to /DroboAccess/delete_user — the endpoint requires no authentication, so any external access to it should be treated as suspicious. ↗
- ·The exploit affects Drobo 5N2 firmware version 4.1.1 and lower; newer firmware versions may also be vulnerable but were unverified at time of disclosure. ↗
- ·Most of the Drobo product line may be affected beyond the 5N2, but this was not verified by the researchers. ↗
- ·The NASd command port (5001) only functions after first connecting to the stat port (5000); detection logic should account for this two-port protocol flow. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/156710/Drobo-5N2-4.1.1-Remote-Command-Injection.htmlhttps://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fchttp://packetstormsecurity.com/files/156710/Drobo-5N2-4.1.1-Remote-Command-Injection.htmlhttps://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc
2018-12-03
Published