CVE-2021-29281
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files to GFI Mail Archiver servers via insecure Telerik Web UI components. It affects GFI Mail Archiver versions up to and including 15.1, potentially leading to remote code execution.
💻 Affected Systems
- GFI Mail Archiver
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via remote code execution, data exfiltration, ransomware deployment, or creation of persistent backdoors.
Likely Case
Web shell upload leading to server control, data theft, and lateral movement within the network.
If Mitigated
Limited impact if file uploads are restricted to specific directories with proper permissions and input validation.
🎯 Exploit Status
Public exploit code available on Exploit-DB (ID 50181) and other sources. Attack requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 15.1
Vendor Advisory: https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver
Restart Required: Yes
Instructions:
1. Upgrade GFI Mail Archiver to latest version. 2. Apply all security patches from GFI. 3. Restart the application/service.
🔧 Temporary Workarounds
Block Telerik Web UI endpoints
windowsBlock access to vulnerable Telerik Web UI endpoints via firewall or web application firewall
# Example firewall rule to block Telerik endpoints
# Windows: netsh advfirewall firewall add rule name="Block_Telerik" dir=in action=block protocol=TCP localport=80,443 remoteip=any program="path\to\gfi.exe"
# Web.config modification: Add request filtering for Telerik paths
Restrict file upload permissions
windowsConfigure strict file upload restrictions and validation
# Set restrictive NTFS permissions on upload directories
icacls "C:\Program Files\GFI\MailArchiver\Uploads" /deny Everyone:(OI)(CI)(W)
# Configure web.config to restrict file types and sizes
🧯 If You Can't Patch
- Isolate GFI Mail Archiver server in separate network segment with strict firewall rules
- Implement web application firewall with file upload protection and Telerik-specific rules
🔍 How to Verify
Check if Vulnerable:
Check GFI Mail Archiver version in application interface or registry: HKEY_LOCAL_MACHINE\SOFTWARE\GFI\MailArchiver\VersionCheck Version:
reg query "HKLM\SOFTWARE\GFI\MailArchiver" /v VersionVerify Fix Applied:
Verify version is greater than 15.1 and test file upload functionality with malicious payloads📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to Telerik endpoints
- ASPX/ASP files in upload directories
- Web.config modifications
- Failed authentication attempts to admin interfaces
Network Indicators:
- HTTP POST requests to /Telerik.Web.UI.WebResource.axd
- File uploads with unusual extensions (.aspx, .ashx, .asmx)
- Outbound connections from GFI server to unknown IPs
SIEM Query:
source="GFI Mail Archiver" AND (url="*Telerik*" OR file_extension="aspx" OR file_extension="ashx")🔗 References
- https://aminbohio.com/gfi-mail-archiver-15-1-telerik-ui-component-arbitrary-file-upload-unauthenticated-exploit/
- https://cwe.mitre.org/data/definitions/434.html
- https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
- https://www.exploit-db.com/exploits/50181
- https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver
- https://aminbohio.com/gfi-mail-archiver-15-1-telerik-ui-component-arbitrary-file-upload-unauthenticated-exploit/
- https://cwe.mitre.org/data/definitions/434.html
- https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
- https://www.exploit-db.com/exploits/50181
- https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver
