SoftNAS Cloud CVE-2018-14417 OS Command Injection Vulnerability

SoftNAS Cloud is prone to an OS command-injection vulnerability because it fails to properly sanitize user-supplied input.

An attacker may exploit this issue to inject and execute arbitrary commands within the context of the affected application; this may aid in further attacks.
Versions prior to SoftNAS Cloud 4.0.3 are vulnerable.

Information

Bugtraq ID: 104914
Class: Input Validation Error
CVE: CVE-2018-14417

Remote: Yes
Local: No
Published: Jul 26 2018 12:00AM
Updated: Jul 26 2018 12:00AM
Credit: Fernando Díaz and Fernando Catoira.
Vulnerable: SoftNAS Cloud 4.0.2
SoftNAS Cloud 4.0.1
SoftNAS Cloud 3.7.3
SoftNAS Cloud 3.7.2
SoftNAS Cloud 3.7.1
SoftNAS Cloud 4.0
SoftNAS Cloud 3.7

Not Vulnerable: SoftNAS Cloud 4.0.3

Exploit

The researcher who discovered this issue has created a proof-of-concept. Please see the references for more information.

References:

• SoftNAS Cloud OS Command Injection (Coresecurity)
  
• SoftNAS Home Page (SoftNAS)
  

Source: www.securityfocus.com