CVE-2021-27963 – CVE-2021-27963 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2021-27963?

CVE-2021-27963 has a CVSS score of 8.2 (HIGH). CVE-2021-27963 is an authentication bypass vulnerability in SonLogger that allows unauthenticated attackers to create new user accounts with administrative privileges. This affects SonLogger versions before 6.4.1. Attackers can exploit this to gain complete control over the application.

📋 TL;DR

CVE-2021-27963 is an authentication bypass vulnerability in SonLogger that allows unauthenticated attackers to create new user accounts with administrative privileges. This affects SonLogger versions before 6.4.1. Attackers can exploit this to gain complete control over the application.

💻 Affected Systems

Products:

SonLogger

Versions: All versions before 6.4.1

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable if the web interface is accessible.

📦 What is this software?

Sonlogger by Sfcyazilim

View all CVEs affecting Sonlogger →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain SuperAdmin access, enabling complete system compromise, data theft, and potential lateral movement to connected systems.

🟠

Likely Case

Unauthenticated attackers create administrative accounts to access sensitive logging data and modify system configurations.

🟢

If Mitigated

With proper network segmentation and authentication controls, impact is limited to the SonLogger instance only.

🌐 Internet-Facing: HIGH - The vulnerability requires no authentication and can be exploited via a single HTTP POST request.

🏢 Internal Only: HIGH - Even internally, any network-accessible instance is vulnerable to exploitation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only curl or similar HTTP client to send POST request to /User/saveUser endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.1

Vendor Advisory: https://www.sonlogger.com/releasenotes

Restart Required: Yes

Instructions:

1. Download SonLogger 6.4.1 or later from official vendor site. 2. Backup current configuration and data. 3. Install the updated version. 4. Restart the SonLogger service. 5. Verify authentication is required for user creation.

🔧 Temporary Workarounds

Network Access Control

all

Restrict network access to SonLogger web interface using firewall rules

# Example iptables rule: iptables -A INPUT -p tcp --dport [SonLogger_port] -s [trusted_network] -j ACCEPT
# Windows Firewall: New-NetFirewallRule -DisplayName "Block SonLogger" -Direction Inbound -Protocol TCP -LocalPort [SonLogger_port] -Action Block

Web Application Firewall

all

Block POST requests to /User/saveUser endpoint from unauthenticated sources

# ModSecurity rule: SecRule REQUEST_METHOD "@streq POST" "chain,id:1001,phase:2,deny,status:403,msg:'Block SonLogger exploit'"
SecRule REQUEST_URI "@beginsWith /User/saveUser" "chain"
SecRule REMOTE_USER "^$"

🧯 If You Can't Patch

Implement strict network segmentation to isolate SonLogger from untrusted networks
Deploy a reverse proxy with authentication requirements for all /User/ endpoints

🔍 How to Verify

Check if Vulnerable:

Attempt to send POST request to http://[sonlogger_host]/User/saveUser with user creation payload without authentication. If successful, system is vulnerable.

Check Version:

Check SonLogger web interface login page or about section for version number

Verify Fix Applied:

Attempt same POST request after patching - should receive authentication error or 403 response.

📡 Detection & Monitoring

Log Indicators:

POST requests to /User/saveUser from unauthenticated sources
New user creation events without corresponding authentication logs
Multiple failed authentication attempts followed by successful user creation

Network Indicators:

HTTP POST to /User/saveUser endpoint with user creation parameters
Traffic from unexpected sources to SonLogger web interface

SIEM Query:

source="sonlogger.log" AND (uri_path="/User/saveUser" AND http_method="POST") AND NOT (user!="anonymous")

📊 Metadata

CVE ID: CVE-2021-27963

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CWE: CWE-306

Published: March 5, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/erberkan/SonLogger-vulns Exploit,Third Party Advisory
https://www.sonlogger.com/releasenotes Release Notes,Vendor Advisory
https://github.com/erberkan/SonLogger-vulns Exploit,Third Party Advisory
https://www.sonlogger.com/releasenotes Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27963, you might also want to check these: