Critical Commvault SSRF could allow attackers to execute code remotely

Posted on by

Commvault is a widely used data protection, backup, and recovery software platform, with users like Amazon, Walmart, and Apple, that, if breached, can allow disruption to an organization’s backup operations, in addition to unauthorized access, lateral movement, and deployment of malware and ransomware.

SSRF flaw escalated to code execution

The vulnerability was reported by watchTowr Labs researcher Sonny Macdonald as a server-side request forgery (SSRF) issue in a pre-authenticated endpoint called deployWebpackage.do. Macdonald called it a “very straightforward pre-auth SSRF vulnerability, as there is no filtering limiting the hosts that can be communicated with.”

“SSRF vulnerabilities are rather difficult to discover, but they can cause significant damage,” said Thomas Richards, infrastructure security practice director at Black Duck. “Users of Commvault should patch their installation immediately and begin forensic examination to determine if their instance was exploited. If the instance was exposed to the internet at all, firewall restrictions should be put in place to control who can access it.”

SSRF — a flaw enabling attackers to trick a server into making unauthorized requests to internal or external systems — cannot (by itself) allow code execution. In this particular case, however, Macdonald built a PoC exploit to show how this pre-authenticated SSRF could be escalated to allow RCE.