In early 2022, a major security flaw was found in StarWind SAN & NAS, an open-source software used to manage storage for servers and networks. Before version .2 build 1685, this vulnerability (called CVE-2022-24552) lets an attacker execute commands remotely — that means taking over the system where StarWind SAN & NAS runs. In this long-read, I’ll explain how this flaw works, show you example code, link to original references, and detail a basic exploit — all in straightforward language.
What is StarWind SAN & NAS?
- StarWind SAN & NAS is free software that turns any server into networked storage. It helps IT teams set up shared virtual disks for applications or virtual machines.
What is CVE-2022-24552?
It’s a vulnerability allowing remote code execution. That means if you’re managing disks through StarWind and you’re running a version earlier than .2 build 1685, an attacker can send a malicious command which the server runs with SYSTEM privileges. No log-in needed in some cases.
You can check the official CVE entry here:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24552
Vulnerability Source
StarWind’s REST API for managing virtual disks did not properly check or sanitize what commands were sent. That means a clever attacker could upload a virtual disk file containing special instructions or path traversal characters (../), and the application would run commands on the system “outside” the VM.
Fixed Version
- Upgrade to build 1685 or later. Download
Exploit: How Does It Work?
The core flaw is in the disk management endpoint, which accepts commands from the network. No proper checks means an attacker can use crafted requests to trigger code execution.
Usually runs on port 3261 or 808 by default.
- Example: http://starwind-ip:3261/api/v1/vdisk/
The attacker sends a disk management command (for example, “attach” a virtual disk).
- Using path traversal (../../../../../), they point the server at a system file — or even a command interpreter like cmd.exe on Windows.
Example Exploit Code
Here’s a Python snippet demonstrating a path traversal to execute calc.exe (Windows calculator, a harmless example for proof-of-concept):
import requests
starwind_url = "http://target-ip:3261/api/v1/vdisk/";
malicious_payload = {
# "file_path" may differ based on actual API
"operation": "attach",
"path": "../../../../../../Windows/System32/calc.exe",
"name": "malicious_vdisk"
}
response = requests.post(starwind_url + "manage", json=malicious_payload)
print(response.text)
Note
- You must update the API path and field names to match actual StarWind documentation or observed API.
- A real attack would use more dangerous payloads, but the core concept is sending an unsafe path or image to trigger commands.
Expected Outcome
The server tries to “attach” what it thinks is a disk, but actually runs a system program. If it’s a remote shell command (like cmd.exe /c your-malicious-command), you get remote code execution as SYSTEM.
Responsible Disclosure
This flaw was responsibly reported to StarWind. They released build 1685 which disables unsafe path handling and improves input checks.
Official StarWind Security Advisory:
https://www.starwindsoftware.com/security/advisories
Restrict access: Never allow the management interface to be open to public internet.
- Monitor logs: Check StarWind logs for suspicious attach/mount operations.
References
- CVE Entry
- StarWind Security Advisories
- Original Exploit Post on GitHub (POC code and full writeup)
- StarWind SAN & NAS Community
Summary
CVE-2022-24552 is a critical bug in StarWind SAN & NAS that could let hackers run their own code on your storage server. Fix it fast by upgrading to the latest version and never allow untrusted network access to your storage management tools. For security pros, always test storage apps for input validation, especially in management and upload paths.
Stay secure — patch today!
*This post is unique and written for easy understanding. For any serious ethical discussions or to report vulnerabilities, always contact the vendor directly.*
Timeline
Published on: 02/06/2022 21:15:00 UTC
Last modified on: 02/11/2022 04:54:00 UTC