CVE-2021-27513 – CVE-2021-27513 is an arbitrary file upload vuln... (How to Fix)

Q: What is the severity of CVE-2021-27513?

CVE-2021-27513 has a CVSS score of 8.8 (HIGH). CVE-2021-27513 is an arbitrary file upload vulnerability in the admin_ITSM module of EyesOfNetwork 5.3-10 that allows authenticated attackers to upload malicious .xml.php files. This can lead to remote code execution and privilege escalation. The vulnerability affects EyesOfNetwork installations with the admin_ITSM module enabled.

📋 TL;DR

CVE-2021-27513 is an arbitrary file upload vulnerability in the admin_ITSM module of EyesOfNetwork 5.3-10 that allows authenticated attackers to upload malicious .xml.php files. This can lead to remote code execution and privilege escalation. The vulnerability affects EyesOfNetwork installations with the admin_ITSM module enabled.

💻 Affected Systems

Products:

EyesOfNetwork

Versions: 5.3-10

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the admin_ITSM module to be enabled and accessible to authenticated users.

📦 What is this software?

Eyesofnetwork by Eyesofnetwork

View all CVEs affecting Eyesofnetwork →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through remote code execution leading to data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Unauthorized file upload leading to web shell deployment and subsequent privilege escalation within the EyesOfNetwork environment.

🟢

If Mitigated

Limited impact with proper file upload validation and authentication controls in place.

🌐 Internet-Facing: HIGH - If the EyesOfNetwork web interface is exposed to the internet, attackers can exploit this after obtaining valid credentials.

🏢 Internal Only: MEDIUM - Requires authenticated access, but internal attackers or compromised accounts could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Multiple public proof-of-concept exploits exist that demonstrate file upload and RCE capabilities. Exploitation requires valid user credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.3-11 or later

Vendor Advisory: https://github.com/EyesOfNetworkCommunity/eonweb/issues/87

Restart Required: Yes

Instructions:

1. Backup your current EyesOfNetwork installation. 2. Update to EyesOfNetwork version 5.3-11 or later. 3. Restart the EyesOfNetwork services. 4. Verify the fix by checking the version and testing file upload functionality.

🔧 Temporary Workarounds

Disable admin_ITSM module

linux

Temporarily disable the vulnerable module until patching can be completed.

# Disable the module by removing or renaming the admin_ITSM directory
mv /usr/share/eyesofnetwork/eonweb/module/admin_ITSM /usr/share/eyesofnetwork/eonweb/module/admin_ITSM.disabled

Restrict file upload permissions

linux

Implement strict file upload validation to block .xml.php files.

# Add to web server configuration (Apache example)
<LocationMatch "^/eonweb/module/admin_ITSM">
    SetEnvIf Request_URI ".*\.xml\.php$" block_upload
    Deny from env=block_upload
</LocationMatch>

🧯 If You Can't Patch

Implement strict network segmentation to isolate EyesOfNetwork from critical systems.
Enforce strong authentication policies and monitor for suspicious file upload activities.

🔍 How to Verify

Check if Vulnerable:

Check if running EyesOfNetwork version 5.3-10 and if the admin_ITSM module is accessible at /eonweb/module/admin_ITSM.

Check Version:

grep 'version' /usr/share/eyesofnetwork/eonweb/include/config.php | grep -o '[0-9]\.[0-9]-[0-9]*'

Verify Fix Applied:

Verify the version is 5.3-11 or later and attempt to upload a .xml.php file through the admin_ITSM interface (should be blocked).

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /eonweb/module/admin_ITSM
Multiple failed authentication attempts followed by successful login and file upload
Execution of PHP files from unexpected locations

Network Indicators:

HTTP POST requests to /eonweb/module/admin_ITSM with file upload content
Outbound connections from EyesOfNetwork server to unknown IPs

SIEM Query:

source="apache_access.log" AND (uri="/eonweb/module/admin_ITSM" AND method="POST" AND status=200) OR (uri MATCHES ".*\.xml\.php$")

📊 Metadata

CVE ID: CVE-2021-27513

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: February 22, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/ArianeBlow/exploit-eyesofnetwork5.3.10/blob/main/PoC-BruteForceID-arbitraty-file-upload-RCE-PrivEsc.py Exploit,Third Party Advisory
https://github.com/EyesOfNetworkCommunity/eonweb/issues/87 Patch,Third Party Advisory
https://github.com/ArianeBlow/exploit-eyesofnetwork5.3.10/blob/main/PoC-BruteForceID-arbitraty-file-upload-RCE-PrivEsc.py Exploit,Third Party Advisory
https://github.com/EyesOfNetworkCommunity/eonweb/issues/87 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27513, you might also want to check these: