CVE-2021-41293
published 2021-09-30CVE-2021-41293: ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated…
PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.08%
97.1th percentile
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.
Detection & IOCsextracted from sources · hover to see the quote
yara↗
rule CVE_2021_41293_ECOA_LFI { strings: $req = "fname=" $traversal = "../" condition: $req and $traversal }- →Detect POST requests to /viewlog.jsp containing path traversal sequences (e.g., '../') in the 'fname' parameter — unauthenticated exploitation requires no prior session. ↗
- →A successful exploit response will contain the string matching 'root:.*:0:0:' in the HTTP 200 response body, indicating /etc/passwd was retrieved. ↗
- →No authentication is required; flag any unauthenticated POST to /viewlog.jsp with a 'fname' parameter value containing directory traversal sequences as high-severity. ↗
- ·The traversal depth shown in the PoC (8 levels: ../../../../../../../../) targets /etc/passwd but arbitrary files at any depth may be reachable; detection rules should match on any occurrence of '../' in the fname parameter, not just the specific depth. ↗
- ·The vulnerability is confirmed against ECOA ECS Router Controller-ECS firmware; the CPE cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:* should be used to scope asset identification. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5jqh-v34h-7q6v: ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure
ghsa_unreviewed·2022-05-24
CVE-2021-41293 [HIGH] CWE-22 GHSA-5jqh-v34h-7q6v: ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.
VulnCheck
ecoa ecs_router_controller-ecs_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2021·CVSS 7.5
CVE-2021-41293 [HIGH] ecoa ecs_router_controller-ecs_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ecoa ecs_router_controller-ecs_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.
Affected: ecoa ecs_router_controller-ecs_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2021-41293; https://dashboard.shadowserver.org/statisti
No detection rules found.
Nuclei
ECOA Building Automation System - Arbitrary File Retrieval
nuclei·CVSS 7.5
CVE-2021-41293 [HIGH] ECOA Building Automation System - Arbitrary File Retrieval
ECOA Building Automation System - Arbitrary File Retrieval
The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
Template:
id: CVE-2021-41293
info:
name: ECOA Building Automation System - Arbitrary File Retrieval
author: 0x_Akoko
severity: high
description: The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
impact: |
Unauthenticated attackers can read arbitrary files from the ECOA BAS controller including /etc/passwd vi
2021-09-30
Published
Exploited in the wild