Talos Vulnerability Report


Intel Raid Web Console 3 DISCOVERY Denial of Service

March 24, 2020
CVE Number



An exploitable denial of service vulnerability exists in the web API functionality of Intel Raid Web Console 3. A specially crafted request can cause the LSA.exe service to exit, resulting in a denial of service. A remote unauthenticated attacker can send a malicious POST request to trigger this vulnerability.

Tested Versions

Intel Raid Web Console 3 v007.009.011.000

Product URLs

Intel Raid Web Console 3 Download

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


CWE-20 Improper Input Validation https://cwe.mitre.org/data/definitions/20.html


IntelĀ® RAID Web Console 3 (RWC3) software is a web-based application that performs monitoring,maintaining, troubleshooting and configuration functions for the Intel RAID products. The RWC3 graphicaluser interface (GUI) simplifies the viewing of an existing server hardware configuration, as well as creating and managing storage configurations.

The binary used for this vulnerability is below:

Image path: C:\Program Files (x86)\LSI\LSIStorageAuthority\bin\HTTP.dll
Image name: HTTP.dll
Browse all global symbols  functions  data
Timestamp:        Fri Jan 11 00:10:36 2019 (5C384F7C)
CheckSum:         00039A00
ImageSize:        00032000
File version:
Product version:

The vulnerable endpoint is /LSI/Storage/MR/API/1.0/servers/serverid/operations/DISCOVERY. This endpoint is meant to add new intel raid servers to the intel gateway. One example request is below:

POST /LSI/Storage/MR/API/1.0/servers/00:aa:bb:12:04:da/operations/DISCOVERY HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 84
Connection: close

{"action":"SEARCH", "parameters":{"address":"", "isIndirectAgent":true}}

The address will be sent an http GET /ui/, if the response code is 200 then the server is added to the gateway. A request with no JSON body will cause the process to call _invalid_parameter_noinfo.

.text:0000508A                 cmp     edi, [eax+0Ch]
.text:0000508D                 ja      short loc_5095
.text:0000508F                 call    ds:_invalid_parameter_noinfo

This causes in the LSA.exe service to terminate resulting in a denial of service.


2019-10-28 - Initial contact
2019-11-05 - 2nd contact; Vendor acknowledged & assigned PSIRT reference
2019-11-19 - Vendor requested disclosure extension for March timeline
2020-03-10 - Vendor confirmed mitigations
2020-03-24 - Public Release


Discovered by Geoff Serrao of Cisco Talos.