CVE-2021-26473 – CVE-2021-26473 is a critical vulnerability in V... (How to Fix)

Q: What is the severity of CVE-2021-26473?

CVE-2021-26473 has a CVSS score of 9.8 (CRITICAL). CVE-2021-26473 is a critical vulnerability in VembuBDR and VembuOffsiteDR backup software that allows unauthenticated attackers to write arbitrary files to the web server via a flawed HTTP API endpoint. This can lead to remote code execution by accessing the uploaded files through the web server, potentially compromising the entire system. Organizations using affected versions of these products are at risk.

📋 TL;DR

CVE-2021-26473 is a critical vulnerability in VembuBDR and VembuOffsiteDR backup software that allows unauthenticated attackers to write arbitrary files to the web server via a flawed HTTP API endpoint. This can lead to remote code execution by accessing the uploaded files through the web server, potentially compromising the entire system. Organizations using affected versions of these products are at risk.

💻 Affected Systems

Products:

VembuBDR
VembuOffsiteDR

Versions: Versions before 4.2.0.1

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both on-premises and cloud deployments; the vulnerable endpoint is part of the standard web service.

📦 What is this software?

Bdr Suite by Vembu

View all CVEs affecting Bdr Suite →

Offsite Dr by Vembu

View all CVEs affecting Offsite Dr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining remote code execution, leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to install malware, exfiltrate sensitive backup data, or disrupt backup operations.

🟢

If Mitigated

Limited impact if network segmentation and strict access controls prevent external exploitation, though internal threats may persist.

🌐 Internet-Facing: HIGH, as the vulnerability is exploitable remotely without authentication, making exposed instances prime targets for attacks.

🏢 Internal Only: HIGH, as internal attackers or malware could exploit this to escalate privileges or move laterally within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code, making it highly attractive to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.0.1

Vendor Advisory: https://help.vembu.com/vembu-bdr-suite-release-notes/

Restart Required: Yes

Instructions:

1. Download the latest version (4.2.0.1 or later) from the Vembu website. 2. Backup current configurations. 3. Install the update following vendor instructions. 4. Restart the Vembu services to apply changes.

🔧 Temporary Workarounds

Block Access to Vulnerable Endpoint

all

Restrict access to the /sgwebservice_o.php endpoint using web server or firewall rules to prevent exploitation.

For Apache: add 'Deny from all' to .htaccess for /sgwebservice_o.php
For Nginx: add 'location /sgwebservice_o.php { deny all; }' to config

Network Segmentation

all

Isolate Vembu servers from the internet and restrict internal access to trusted IPs only.

Use firewall rules to allow only specific IPs to the Vembu web port (default 6060)

🧯 If You Can't Patch

Implement strict network access controls to limit exposure to the Vembu web interface.
Monitor logs for suspicious activity targeting /sgwebservice_o.php and set up alerts for file upload attempts.

🔍 How to Verify

Check if Vulnerable:

Check the Vembu software version via the web interface or by examining installed files; versions below 4.2.0.1 are vulnerable.

Check Version:

On Windows: Check 'Programs and Features' for Vembu version. On Linux: Run 'vembu --version' or check package manager.

Verify Fix Applied:

Confirm the version is 4.2.0.1 or higher in the software settings and test that the /sgwebservice_o.php endpoint no longer accepts arbitrary file writes.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /sgwebservice_o.php with 'logFilePath' parameter
Unusual file creation in web-accessible directories
Errors or warnings in Vembu application logs related to file writes

Network Indicators:

Inbound traffic to Vembu web port (default 6060) with POST requests to /sgwebservice_o.php
Outbound connections from Vembu server to unknown IPs post-exploitation

SIEM Query:

source="vembu_logs" AND (url="/sgwebservice_o.php" OR message="logFilePath")

📊 Metadata

CVE ID: CVE-2021-26473

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: June 8, 2021

Last Updated: November 21, 2024

🔗 References

https://csirt.divd.nl/2021/05/11/Vembu-zero-days/ Third Party Advisory
https://csirt.divd.nl/cases/DIVD-2020-00011/ Third Party Advisory
https://csirt.divd.nl/cves/CVE-2021-26473/ Third Party Advisory
https://www.wbsec.nl/vembu Broken Link,Third Party Advisory
https://csirt.divd.nl/2021/05/11/Vembu-zero-days/ Third Party Advisory
https://csirt.divd.nl/cases/DIVD-2020-00011/ Third Party Advisory
https://csirt.divd.nl/cves/CVE-2021-26473/ Third Party Advisory
https://www.wbsec.nl/vembu Broken Link,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26473, you might also want to check these: