CVE-2020-7861 – CVE-2020-7861 is a directory traversal vulnerab... (How to Fix)

Q: What is the severity of CVE-2020-7861?

CVE-2020-7861 has a CVSS score of 8.4 (HIGH). CVE-2020-7861 is a directory traversal vulnerability in AnySupport remote support software that allows attackers to copy arbitrary files from a management PC to a client PC using the swprintf function. This can lead to arbitrary file execution on client systems. Organizations using AnySupport versions before 2019.3.21.0 are affected.

📋 TL;DR

CVE-2020-7861 is a directory traversal vulnerability in AnySupport remote support software that allows attackers to copy arbitrary files from a management PC to a client PC using the swprintf function. This can lead to arbitrary file execution on client systems. Organizations using AnySupport versions before 2019.3.21.0 are affected.

💻 Affected Systems

Products:

AnySupport Remote Support Solution

Versions: All versions before 2019.3.21.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the file copy functionality between management and client PCs in the AnySupport software.

📦 What is this software?

Anysupport by Anysupport

View all CVEs affecting Anysupport →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of client systems through arbitrary file execution, potentially leading to ransomware deployment, data theft, or lateral movement within the network.

🟠

Likely Case

Attackers gain initial foothold on client systems, install malware or backdoors, and potentially escalate privileges to compromise the entire network.

🟢

If Mitigated

Limited impact due to network segmentation, proper access controls, and monitoring preventing successful exploitation.

🌐 Internet-Facing: HIGH - AnySupport is typically deployed for remote support and may be internet-facing, making it accessible to external attackers.

🏢 Internal Only: MEDIUM - Even if not internet-facing, internal attackers or compromised accounts could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the management interface, but the directory traversal technique is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2019.3.21.0 and later

Vendor Advisory: https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36016

Restart Required: Yes

Instructions:

1. Download AnySupport version 2019.3.21.0 or later from the official vendor site. 2. Install the update on all management and client systems. 3. Restart the AnySupport service on all systems.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate AnySupport management interface to trusted networks only

Access Control

all

Implement strict access controls and multi-factor authentication for AnySupport management interface

🧯 If You Can't Patch

Disable AnySupport service if not absolutely required
Implement strict network segmentation to isolate AnySupport systems from critical assets

🔍 How to Verify

Check if Vulnerable:

Check AnySupport version in the application interface or installation directory. Versions before 2019.3.21.0 are vulnerable.

Check Version:

Check application interface or look for version information in the installation directory

Verify Fix Applied:

Verify version is 2019.3.21.0 or later and test file copy functionality with directory traversal attempts.

📡 Detection & Monitoring

Log Indicators:

Unusual file copy operations in AnySupport logs
Directory traversal patterns in file paths

Network Indicators:

Unexpected file transfers from management to client systems
Suspicious network connections to AnySupport ports

SIEM Query:

source="AnySupport" AND (path="..\\" OR path="../")

📊 Metadata

CVE ID: CVE-2020-7861

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-23

Published: April 22, 2021

Last Updated: November 21, 2024

🔗 References

https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36016 Third Party Advisory
https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36016 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-7861, you might also want to check these: