Login Sign Up

CVE-2021-28250

7.8 HIGH

📋 TL;DR

CVE-2021-28250 is a privilege escalation vulnerability in CA eHealth Performance Manager where the runpicEhealth executable improperly handles setuid/setgid files, allowing local attackers to execute arbitrary code with elevated ehealth user privileges. This affects all versions through 6.3.2.12, but only impacts systems running unsupported versions since the product is no longer maintained.

💻 Affected Systems

Products:
  • CA eHealth Performance Manager
Versions: All versions through 6.3.2.12
Operating Systems: Linux/Unix systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects products that are no longer supported by the maintainer. Requires local shell access to exploit.

📦 What is this software?

Ehealth Performance Manager by Ca

View all CVEs affecting Ehealth Performance Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full control of the system as ehealth user, potentially leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Local user with shell access escalates privileges to ehealth user, gaining access to sensitive performance monitoring data and system resources.

🟢

If Mitigated

Attack limited to users with local shell access, unable to affect properly segmented systems or those with strict user privilege separation.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring shell access to the vulnerable system.
🏢 Internal Only: HIGH - Internal users with shell access can exploit this to gain elevated privileges on affected systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local shell access. The vulnerability is well-documented with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

No official patch available since product is end-of-life. Consider migration to supported alternatives.

🔧 Temporary Workarounds

Remove setuid bit from runpicEhealth

linux

Remove the setuid permission from the vulnerable executable to prevent privilege escalation

chmod u-s /path/to/runpicEhealth

Restrict file permissions

linux

Limit access to the runpicEhealth executable to only necessary users

chmod 750 /path/to/runpicEhealth
chown root:root /path/to/runpicEhealth

🧯 If You Can't Patch

  • Isolate affected systems in separate network segments with strict access controls
  • Implement principle of least privilege - ensure users only have necessary shell access

🔍 How to Verify

Check if Vulnerable:

Check if runpicEhealth executable has setuid bit set: ls -la /path/to/runpicEhealth | grep '^...s'

Check Version:

Check eHealth version in product documentation or configuration files

Verify Fix Applied:

Verify setuid bit is removed: ls -la /path/to/runpicEhealth | grep -v '^...s'

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution as ehealth user
  • Failed privilege escalation attempts in system logs

Network Indicators:

  • N/A - local exploitation only

SIEM Query:

process.name:"runpicEhealth" AND user.name!="ehealth"

📊 Metadata

CVE ID: CVE-2021-28250
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-269
Published: March 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28250, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)