CVE-2021-20655 – This vulnerability allows remote attackers with... (How to Fix)

Q: What is the severity of CVE-2021-20655?

CVE-2021-20655 has a CVSS score of 7.2 (HIGH). This vulnerability allows remote attackers with administrator privileges in FileZen to execute arbitrary operating system commands. It affects FileZen versions V3.0.0 to V4.2.7 and V5.0.0 to V5.0.2. Attackers can potentially gain full control of affected systems through command injection.

📋 TL;DR

This vulnerability allows remote attackers with administrator privileges in FileZen to execute arbitrary operating system commands. It affects FileZen versions V3.0.0 to V4.2.7 and V5.0.0 to V5.0.2. Attackers can potentially gain full control of affected systems through command injection.

💻 Affected Systems

Products:

FileZen

Versions: V3.0.0 to V4.2.7 and V5.0.0 to V5.0.2

Operating Systems: Any OS running FileZen

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations within affected version ranges are vulnerable. Administrator authentication is required for exploitation.

📦 What is this software?

Filezen by Soliton

View all CVEs affecting Filezen →

Filezen by Soliton

View all CVEs affecting Filezen →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, lateral movement across networks, and persistent backdoor installation.

🟠

Likely Case

Unauthorized file access, data exfiltration, and installation of malware or cryptocurrency miners on vulnerable FileZen servers.

🟢

If Mitigated

Limited impact due to network segmentation, strong access controls, and monitoring that detects unusual administrator activity.

🌐 Internet-Facing: HIGH - Internet-facing FileZen instances with administrator accounts are directly exploitable by attackers who obtain or compromise admin credentials.

🏢 Internal Only: MEDIUM - Internal instances still pose significant risk if admin credentials are compromised through phishing or other attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires administrator credentials but once obtained, exploitation is straightforward. The unspecified vectors suggest multiple potential injection points.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V4.2.8 and V5.0.3

Vendor Advisory: https://www.soliton.co.jp/support/2021/004334.html

Restart Required: Yes

Instructions:

1. Download latest version from vendor website. 2. Backup configuration and data. 3. Stop FileZen service. 4. Install updated version. 5. Restart FileZen service. 6. Verify functionality.

🔧 Temporary Workarounds

Restrict Administrator Access

all

Limit administrator accounts to only trusted IP addresses and implement multi-factor authentication.

# Configure firewall rules to restrict admin interface access
# Example: iptables -A INPUT -p tcp --dport [FileZen_port] -s [trusted_IP] -j ACCEPT
# iptables -A INPUT -p tcp --dport [FileZen_port] -j DROP

Network Segmentation

all

Isolate FileZen servers from critical systems and implement strict outbound filtering.

# Implement network segmentation rules
# Example: Place FileZen in DMZ or isolated VLAN
# Configure firewall to block unnecessary outbound connections

🧯 If You Can't Patch

Implement strict monitoring of administrator account activity and command execution logs
Deploy application-level firewall or WAF with command injection detection rules

🔍 How to Verify

Check if Vulnerable:

Check FileZen version in administration interface or configuration files. Versions V3.0.0-V4.2.7 or V5.0.0-V5.0.2 are vulnerable.

Check Version:

# Check version in FileZen web interface under System Information or Settings

Verify Fix Applied:

Verify version is V4.2.8 or higher for V4 series, or V5.0.3 or higher for V5 series. Test administrator functionality remains intact.

📡 Detection & Monitoring

Log Indicators:

Unusual administrator login patterns
OS command execution in application logs
Multiple failed admin login attempts followed by successful login

Network Indicators:

Unexpected outbound connections from FileZen server
Traffic to suspicious IP addresses or domains

SIEM Query:

source="FileZen" AND (event_type="command_execution" OR user="admin" AND action="login") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2021-20655

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: February 17, 2021

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/en/jp/JVN58774946/index.html Third Party Advisory
https://www.soliton.co.jp/support/2021/004334.html Exploit,Vendor Advisory
https://jvn.jp/en/jp/JVN58774946/index.html Third Party Advisory
https://www.soliton.co.jp/support/2021/004334.html Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20655, you might also want to check these: