CVE-2021-23247 – CVE-2021-23247 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-23247?

CVE-2021-23247 has a CVSS score of 9.8 (CRITICAL). CVE-2021-23247 is a command injection vulnerability in the Quick Game Engine that allows remote attackers to execute arbitrary code on affected systems. This affects applications built with vulnerable versions of the engine, potentially compromising entire systems where these applications run. Attackers can exploit this without authentication to gain full control over affected devices.

📋 TL;DR

CVE-2021-23247 is a command injection vulnerability in the Quick Game Engine that allows remote attackers to execute arbitrary code on affected systems. This affects applications built with vulnerable versions of the engine, potentially compromising entire systems where these applications run. Attackers can exploit this without authentication to gain full control over affected devices.

💻 Affected Systems

Products:

Quick Game Engine
Applications built with Quick Game Engine

Versions: Specific vulnerable versions not detailed in references, but likely multiple versions before patching

Operating Systems: Android, iOS, Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All applications using vulnerable versions of the engine are affected regardless of configuration.

📦 What is this software?

Quick App by Oppo

View all CVEs affecting Quick App →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal sensitive data, pivot to other systems, and establish persistent backdoors.

🟠

Likely Case

Remote code execution leading to data theft, cryptocurrency mining, or ransomware deployment on vulnerable systems.

🟢

If Mitigated

Limited impact with proper network segmentation, application sandboxing, and strict input validation in place.

🌐 Internet-Facing: HIGH - The vulnerability allows unauthenticated remote exploitation, making internet-facing applications extremely vulnerable.

🏢 Internal Only: HIGH - Even internally deployed applications can be exploited through phishing, compromised internal systems, or lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Command injection vulnerabilities typically have low exploitation complexity and are frequently weaponized in real attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in references, but vendor has released security updates

Vendor Advisory: https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1501448054614794240

Restart Required: Yes

Instructions:

1. Update Quick Game Engine to latest secure version. 2. Rebuild and redeploy all applications using the engine. 3. Test applications for compatibility. 4. Restart affected services.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict input validation and sanitization for all user inputs in applications

Network Segmentation

all

Isolate applications using Quick Game Engine in separate network segments

🧯 If You Can't Patch

Remove affected applications from internet-facing networks
Implement strict network access controls and monitor for suspicious command execution

🔍 How to Verify

Check if Vulnerable:

Check application dependencies for Quick Game Engine version and compare against vendor's patched versions

Check Version:

Check application manifest or build configuration for engine version details

Verify Fix Applied:

Verify engine version is updated and test applications for proper functionality after update

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns
Suspicious process creation from game engine processes
Unexpected network connections from game applications

Network Indicators:

Unexpected outbound connections from game applications
Command and control traffic patterns

SIEM Query:

Process creation where parent process contains 'quick' or 'game engine' AND command line contains suspicious patterns like 'cmd', 'powershell', 'bash' with unusual arguments

📊 Metadata

CVE ID: CVE-2021-23247

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: April 1, 2022

Last Updated: November 21, 2024

🔗 References

https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1501448054614794240 Vendor Advisory
https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1501448054614794240 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23247, you might also want to check these: