CVE-2021-26556
📋 TL;DR
CVE-2021-26556 is a local privilege escalation vulnerability in Octopus Server where incorrect folder ACLs when installed to custom locations allow unprivileged users to perform DLL side-loading attacks. This enables attackers to execute arbitrary code with elevated privileges. Affects Octopus Server installations using non-default folder paths.
💻 Affected Systems
- Octopus Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM/administrator privileges on the Octopus Server host, potentially compromising the entire Octopus deployment and connected infrastructure.
Likely Case
Local user with limited privileges escalates to Octopus service account privileges, gaining control over deployment automation and sensitive credentials.
If Mitigated
With proper ACLs and security controls, the attack surface is minimized, though the vulnerability still exists in vulnerable configurations.
🎯 Exploit Status
Exploitation requires local access to the server and knowledge of DLL side-loading techniques. The vulnerability is well-documented in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020.6.5147 and later
Vendor Advisory: https://advisories.octopus.com/adv/2021-01---Local-privilege-escalation-in-Octopus-Server-%28CVE-2021-26556%29.1733296189.html
Restart Required: Yes
Instructions:
1. Upgrade Octopus Server to version 2020.6.5147 or later. 2. Restart the Octopus Server service. 3. Verify the installation folder ACLs are correctly set.
🔧 Temporary Workarounds
Set Correct Folder ACLs
windowsManually set proper ACLs on the Octopus Server installation folder to prevent unauthorized write access.
icacls "C:\CustomOctopusPath" /inheritance:r /grant "SYSTEM:(OI)(CI)F" /grant "Administrators:(OI)(CI)F" /grant "OctopusServiceAccount:(OI)(CI)RX" /deny "Users:(OI)(CI)W"
Move to Default Location
windowsReinstall Octopus Server to the default installation location where ACLs are automatically set correctly.
🧯 If You Can't Patch
- Restrict local access to Octopus Server hosts to trusted administrators only
- Implement strict file integrity monitoring on Octopus Server installation directories
🔍 How to Verify
Check if Vulnerable:
Check if Octopus Server is installed to a custom folder location and version is below 2020.6.5147. Verify folder permissions allow non-admin users to write to the installation directory.Check Version:
Check Octopus Server web interface or run: Get-ItemProperty -Path "HKLM:\SOFTWARE\Octopus\OctopusServer" -Name "Version"Verify Fix Applied:
Confirm Octopus Server version is 2020.6.5147 or later and verify installation folder ACLs restrict write access to authorized accounts only.📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL files in Octopus Server installation directory
- Failed attempts to write to protected directories
- Octopus service running with unexpected privileges
Network Indicators:
- None - this is a local attack
SIEM Query:
EventID=4663 AND ObjectName="*Octopus*" AND Accesses="WriteData" AND SubjectUserName!="SYSTEM" AND SubjectUserName!="Administrator"