Talos Vulnerability Report


Intel Raid Web Console 3 add server denial-of-service vulnerability

March 24, 2020
CVE Number



A remote, exploitable denial-of-service vulnerability exists in the web API functionality of Intel Raid Web Console 3. A specially crafted request can lead to a null pointer dereference in the Intel Raid Web Console server. This would result in a denial of service until the user restarts LSA.exe. A remote unauthenticated attacker can send a POST request to trigger this vulnerability.

Tested Versions

Intel Raid Web Console 3 v007.009.011.000

Product URLs

Intel Raid Web Console 3 Download

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


CWE-476: NULL Pointer Dereference


Intel RAID Web Console 3 (RWC3) software is a web-based application that monitors, maintains, troubleshoots and configures functions for Intel RAID products. The RWC3 graphical user interface (GUI) simplifies the viewing of an existing server hardware configuration, as well as creating and managing storage configurations.

The modules involved in this vulnerability are:

Image path: C:\Program Files (x86)\LSI\LSIStorageAuthority\bin\PluginManager.dll
    Image name: PluginManager.dll
    Browse all global symbols  functions  data
    Timestamp:        Fri Jan 11 00:57:22 2019 (5C385A72)
    CheckSum:         006A30EA
    ImageSize:        006A5000
    File version:
    Product version:

Image path: C:\Program Files (x86)\LSI\LSIStorageAuthority\bin\HTTP.dll
    Image name: HTTP.dll
    Browse all global symbols  functions  data
    Timestamp:        Fri Jan 11 00:10:36 2019 (5C384F7C)
    CheckSum:         00039A00
    ImageSize:        00032000
    File version:
    Product version:

One of the features of Intel RAID web API is the ability to add servers to the product for monitoring. One example of the parameters for this endpoint responsible for adding servers is:

{"action":"ADD", "parameters":{"server":"/lsi/storage/mr/api/1.0/servers/"}}

In this case, the /api/1.0/servers in the server parameter assumes that there is already an active session with the client and the application will use this session to query for the asked server of With this active session, the cookie for this session is queried.

.text:003BDAD6                 mov     edx, [eax]
.text:003BDAD8                 mov     ecx, eax
.text:003BDADA                 mov     eax, [edx+30h]
.text:003BDADD                 call    eax ; Call to http::FCGIHTTPCommand::getSessionCookie

The session ID is then retrieved from the newly received SessionCookie object.

.text:003BDADF                 mov     ecx, eax        ; this
.text:003BDAE1                 call    ?getSessionId@SessionCookie@http@@QBEABVSessionID@2@XZ ; http::SessionCookie::getSessionId(void)

.text:00017540                 lea     eax, [ecx+74h]
.text:00017543                 retn

The original session is returned by looking for a cookie called SESSIONID [0]. If this cookie is not found, the session returns as zero [1].

.text:00008BD6                 mov     ecx, [edi+58h]
.text:00008BD9                 sub     ecx, [edi+54h]
.text:00008BDC                 sar     ecx, 2
.text:00008BDF                 cmp     ebp, ecx
.text:00008BE1                 jb      short loc_8BE9
.text:00008BE3                 call    ds:_invalid_parameter_noinfo
.text:00008BE9                 mov     edx, [edi+54h]
.text:00008BEC                 mov     ebx, [edx+ebp*4]
.text:00008BEF                 mov     eax, [ebx]
.text:00008BF1                 mov     edx, [eax+4]
.text:00008BF4                 mov     ecx, ebx
.text:00008BF6                 call    edx
.text:00008BF8                 test    eax, eax
.text:00008BFA                 jnz     short loc_8C23
.text:00008BFC                 mov     eax, offset aHttpCookieGetN ; "http::Cookie::get_name"
.text:00008C01                 lea     esi, [esp+0D8h+var_C8]
.text:00008C05                 call    sub_3070
.text:00008C0A                 mov     ecx, esi        ; this
.text:00008C0C                 call    ??1formatted_log_t@utils@@UAE@XZ ; utils::formatted_log_t::~formatted_log_t(void)
.text:00008C11                 push    offset aSessionid ; "SESSIONID" ; [0]
.text:00008C16                 lea     ecx, [ebx+4]
.text:00008C19                 call    ds:?compare@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEHPBD@Z 
.text:00008C1F                 test    eax, eax
.text:00008C21                 jz      short loc_8C3B
.text:00008C23                 mov     eax, [edi+58h]
.text:00008C26                 sub     eax, [edi+54h]
.text:00008C29                 inc     ebp
.text:00008C2A                 sar     eax, 2
.text:00008C2D                 cmp     ebp, eax
.text:00008C2F                 jb      short loc_8BD6
.text:00008C31                 xor     eax, eax ; [1]
.text:00008C33                 pop     edi
.text:00008C34                 pop     esi
.text:00008C35                 pop     ebp
.text:00008C36                 pop     ebx
.text:00008C37                 mov     esp, ebp
.text:00008C39                 pop     ebp
.text:00008C3A                 retn

When the non-existent session cookie is attempted to be parsed, the small offset from null is dereferenced instead, causing a null pointer. This causes the server to crash and results in a denial of service.

Crash information

0:010> g
eax=00000000 ebx=02b1b2e8 ecx=02b1b2e8 edx=005d0000 esi=02b1b2e8 edi=00000074
eip=6fd7633a esp=02b1b190 ebp=02b1b19c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
MSVCP90!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::assign+0x10:
6fd7633a 394714          cmp     dword ptr [edi+14h],eax ds:002b:00000088=????????


2019-10-28 - Initial contact
2019-11-05 - 2nd contact; Vendor acknowledged & assigned PSIRT reference
2019-11-19 - Vendor requested disclosure extension for March timeline
2020-03-10 - Vendor confirmed mitigations
2020-03-24 - Public Release


Discovered by Geoff Serrao and Cory Duplantis of Cisco Talos.