Login Sign Up

CVE-2021-27213

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-27213 is a critical remote code execution vulnerability in pystemon's config.py file that allows attackers to execute arbitrary code via YAML deserialization. The vulnerability affects all pystemon instances using unsafe YAML loading methods. Anyone running pystemon before the February 13, 2021 patch is vulnerable to complete system compromise.

💻 Affected Systems

Products:
  • pystemon
Versions: All versions before 2021-02-13
Operating Systems: All operating systems running pystemon
Default Config Vulnerable: ⚠️ Yes
Notes: Any pystemon instance using the vulnerable config.py file is affected regardless of configuration.

📦 What is this software?

Pystemon by Pystemon Project

View all CVEs affecting Pystemon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with root/administrator privileges, allowing attackers to install persistent backdoors, exfiltrate sensitive data, and pivot to other systems in the network.

🟠

Likely Case

Remote code execution with the privileges of the pystemon process, enabling data theft, cryptocurrency mining, or use as a botnet node.

🟢

If Mitigated

No impact if proper YAML SafeLoader is used or if the system is patched to version after February 13, 2021.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in YAML deserialization which is trivial to exploit with publicly available payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2021-02-13 or later

Vendor Advisory: https://github.com/cvandeplas/pystemon/commit/dbeb87afefdb63de2f4cff69b6f10c5965d14b54

Restart Required: Yes

Instructions:

1. Update pystemon to version 2021-02-13 or later. 2. Replace unsafe yaml.load() with yaml.safe_load() in config.py. 3. Restart the pystemon service.

🔧 Temporary Workarounds

Manual config.py patch

linux

Manually edit config.py to use SafeLoader instead of unsafe YAML loading

sed -i "s/yaml.load(/yaml.safe_load(/g" /path/to/pystemon/config.py

🧯 If You Can't Patch

  • Disable pystemon service immediately and remove from network
  • Implement strict network segmentation and firewall rules to isolate vulnerable systems

🔍 How to Verify

Check if Vulnerable:

Check config.py for yaml.load() calls without SafeLoader parameter

Check Version:

Check pystemon version or commit date (should be >= 2021-02-13)

Verify Fix Applied:

Verify config.py uses yaml.safe_load() or yaml.load(..., Loader=yaml.SafeLoader)

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from pystemon
  • Suspicious YAML parsing errors
  • Unexpected system commands in pystemon logs

Network Indicators:

  • Outbound connections from pystemon to unknown IPs
  • Unusual traffic patterns from pystemon port

SIEM Query:

process_name:pystemon AND (cmdline:*yaml* OR cmdline:*python* -exec*)

📊 Metadata

CVE ID: CVE-2021-27213
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: February 14, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27213, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)