CVE-2021-29873

Vulnerability

An authenticated attacker can escape the restricted shell in IBM FlashSystem 900, SAN Volume Controller, Storwize, Spectrum Virtualize, and related products. The vulnerability exists in the sed command, allowing a restricted shell escape. Affected versions include all supported code streams from 7.8 to 8.4 (excluding 8.4.2.0 and later) for those products, and FlashSystem 900 VRMFs prior to 1.5.2.10 (1.5 stream) or 1.6.1.4 (1.6 stream) [1][2].

Exploitation

An attacker must have valid authentication credentials to the device. The attack requires network access and low complexity (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The attacker can exploit the sed restricted shell escape to execute arbitrary commands, potentially gaining shell access beyond the restricted environment [1][2].

Impact

Successful exploitation allows the attacker to obtain sensitive information (confidentiality breach) and cause a denial of service (availability breach). The CVSS score is 8.8 (High), with scope unchanged but full impact on confidentiality, integrity, and availability [1][2].

Mitigation

IBM provides code fixes: for the SVC/Storwize/FlashSystem V9000 family, upgrade to 7.8.1.14, 8.2.1.14, 8.3.1.6, 8.4.0.5, or 8.4.2.0 or later [1]. For FlashSystem 900, upgrade to VRMF 1.5.2.10 or 1.6.1.4 depending on the code stream [2]. FlashSystem 840 (MTM 9840-AE1 and 9843-AE1) is end-of-life and no longer supported [2].