CVE-2021-28823
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in TIBCO eFTL installations on Windows. A low-privileged attacker with local access can insert malicious files that get executed with elevated privileges due to improper access restrictions. Affected are all TIBCO eFTL editions (Community, Developer, Enterprise) version 6.5.0 and below on Windows systems.
💻 Affected Systems
- TIBCO eFTL - Community Edition
- TIBCO eFTL - Developer Edition
- TIBCO eFTL - Enterprise Edition
📦 What is this software?
Eftl by Tibco
Eftl by Tibco
Eftl by Tibco
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise where an attacker gains administrative privileges, installs persistent malware, accesses sensitive data, and moves laterally across the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional tools, and maintain persistence on compromised systems.
If Mitigated
Limited impact with proper access controls, monitoring, and network segmentation preventing lateral movement.
🎯 Exploit Status
Exploitation requires local access but is straightforward once access is obtained. No public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions above 6.5.0
Vendor Advisory: http://www.tibco.com/services/support/advisories
Restart Required: Yes
Instructions:
1. Download and install TIBCO eFTL version 6.6.0 or higher from TIBCO's official website. 2. Follow TIBCO's installation guide for upgrading. 3. Restart the eFTL service and any dependent applications.
🔧 Temporary Workarounds
Restrict installation directory permissions
windowsApply strict access controls to the TIBCO eFTL installation directory to prevent low-privileged users from writing files.
icacls "C:\Program Files\TIBCO\eFTL" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F" /deny "Users:(OI)(CI)(W)"
Remove unnecessary local user access
windowsLimit local user accounts on systems running TIBCO eFTL to only authorized administrators.
🧯 If You Can't Patch
- Isolate affected systems in a restricted network segment with no internet access and limited internal connectivity.
- Implement strict monitoring and alerting for privilege escalation attempts and unusual file modifications in the TIBCO installation directory.
🔍 How to Verify
Check if Vulnerable:
Check TIBCO eFTL version via Control Panel > Programs and Features or by examining the installation directory properties. Verify version is 6.5.0 or below.Check Version:
wmic product where "name like 'TIBCO eFTL%'" get versionVerify Fix Applied:
Confirm installed version is 6.6.0 or higher. Verify file permissions on the installation directory restrict write access to non-administrative users.📡 Detection & Monitoring
Log Indicators:
- Windows Event Log entries showing file creation/modification in TIBCO installation directory by non-admin users
- Privilege escalation events in security logs
- Unexpected process execution from TIBCO directories
Network Indicators:
- Unusual outbound connections from systems running TIBCO eFTL
- Lateral movement attempts from previously low-privileged accounts
SIEM Query:
source="Windows Security" EventCode=4688 NewProcessName="*TIBCO*" OR source="Windows Security" EventCode=4663 ObjectName="*TIBCO*eFTL*"