CVE-2021-27198 – CVE-2021-27198 allows unauthenticated attackers... (How to Fix)

Q: What is the severity of CVE-2021-27198?

CVE-2021-27198 has a CVSS score of 9.8 (CRITICAL). CVE-2021-27198 allows unauthenticated attackers to upload arbitrary files and execute code remotely on Visualware MyConnection Server installations. This affects all systems running versions before 11.1a. Since the Windows version runs with SYSTEM privileges, successful exploitation grants full administrative control.

📋 TL;DR

CVE-2021-27198 allows unauthenticated attackers to upload arbitrary files and execute code remotely on Visualware MyConnection Server installations. This affects all systems running versions before 11.1a. Since the Windows version runs with SYSTEM privileges, successful exploitation grants full administrative control.

💻 Affected Systems

Products:

Visualware MyConnection Server

Versions: All versions before 11.1a

Operating Systems: Windows, Linux, macOS, All Java-supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Windows installations are particularly dangerous as they run with SYSTEM privileges by default. The vulnerability exists in the web service component.

📦 What is this software?

Myconnection Server by Visualware

View all CVEs affecting Myconnection Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM/root privileges, allowing attackers to install malware, steal data, pivot to other systems, or create persistent backdoors.

🟠

Likely Case

Remote code execution leading to web shell installation, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation and least-privilege principles are implemented, though initial compromise would still be possible.

🌐 Internet-Facing: HIGH - The vulnerability requires no authentication and has public exploit code, making internet-facing instances prime targets.

🏢 Internal Only: HIGH - Even internally, the lack of authentication requirement makes exploitation trivial for any internal attacker.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available and requires no authentication. Attackers can upload malicious files via the myspeed/sf?filename= URI to achieve RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.1a and later

Vendor Advisory: https://myconnectionserver.visualware.com/support/newrelease.html

Restart Required: Yes

Instructions:

1. Download version 11.1a or later from the vendor website. 2. Backup current configuration. 3. Stop the MyConnection Server service. 4. Install the updated version. 5. Restart the service.

🔧 Temporary Workarounds

Block vulnerable endpoint

linux

Block access to the myspeed/sf endpoint via web application firewall or network filtering

iptables -A INPUT -p tcp --dport [MyConnection_PORT] -m string --string "myspeed/sf" --algo bm -j DROP

Network segmentation

all

Restrict network access to MyConnection Server to only trusted IP addresses

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port protocol="tcp" port="PORT" accept'

🧯 If You Can't Patch

Immediately isolate affected systems from internet and restrict internal network access
Implement strict file upload validation and monitoring for the myspeed/sf endpoint

🔍 How to Verify

Check if Vulnerable:

Check if the server responds to requests at /myspeed/sf?filename=test with file upload capabilities. Version check is more reliable.

Check Version:

Check the web interface admin panel or service logs for version information. On Windows: Check installed programs list. On Linux: Check package manager or installation directory.

Verify Fix Applied:

Verify the installed version is 11.1a or later and test that the myspeed/sf endpoint no longer accepts arbitrary file uploads.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing 'myspeed/sf?filename=' patterns
Unusual file upload activities to the web service
Java process spawning unexpected child processes

Network Indicators:

POST requests to /myspeed/sf endpoint with file uploads
Unusual outbound connections from the MyConnection Server host

SIEM Query:

source="web_logs" AND uri="*myspeed/sf*" AND (method="POST" OR params="*filename=*")

📊 Metadata

CVE ID: CVE-2021-27198

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: February 26, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/161571/VisualWare-MyConnection-Server-11.x-Remote-Code-Execution.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2021/Feb/81 Mailing List,Third Party Advisory
https://myconnectionserver.visualware.com/download.html Product,Vendor Advisory
https://myconnectionserver.visualware.com/support/newrelease.html Release Notes,Vendor Advisory
https://www.securifera.com/advisories/cve-2021-27198/ Third Party Advisory
http://packetstormsecurity.com/files/161571/VisualWare-MyConnection-Server-11.x-Remote-Code-Execution.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2021/Feb/81 Mailing List,Third Party Advisory
https://myconnectionserver.visualware.com/download.html Product,Vendor Advisory
https://myconnectionserver.visualware.com/support/newrelease.html Release Notes,Vendor Advisory
https://www.securifera.com/advisories/cve-2021-27198/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27198, you might also want to check these: