CVE-2021-29393 – This vulnerability allows remote unauthenticate... (How to Fix)

Q: What is the severity of CVE-2021-29393?

CVE-2021-29393 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote unauthenticated attackers to execute arbitrary system commands on NorthStar Club Management servers by injecting malicious commands into unsanitized parameters. It affects Northstar Technologies Inc NorthStar Club Management version 6.3, potentially compromising any server running this software.

📋 TL;DR

This vulnerability allows remote unauthenticated attackers to execute arbitrary system commands on NorthStar Club Management servers by injecting malicious commands into unsanitized parameters. It affects Northstar Technologies Inc NorthStar Club Management version 6.3, potentially compromising any server running this software.

💻 Affected Systems

Products:

Northstar Technologies Inc NorthStar Club Management

Versions: 6.3

Operating Systems: Any OS running the vulnerable software

Default Config Vulnerable: ⚠️ Yes

Notes: The cominput.jsp and comoutput.jsp endpoints are vulnerable by default when the software is installed.

📦 What is this software?

Northstar Club Management by Globalnorthstar

View all CVEs affecting Northstar Club Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, lateral movement within the network, and persistent backdoor installation.

🟠

Likely Case

Attackers gain shell access to the server, steal sensitive club member data, install cryptocurrency miners, or use the server as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if proper network segmentation, web application firewalls, and input validation are in place, though the vulnerability remains exploitable.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-facing instances immediate targets.

🏢 Internal Only: HIGH - Even internally, any user with network access could exploit this to gain system-level privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires simple HTTP requests with command injection payloads. Public proof-of-concept code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - Check with vendor for patched version

Vendor Advisory: https://ardent-security.com/en/advisory/asa-2021-01/

Restart Required: Yes

Instructions:

1. Contact Northstar Technologies for patched version. 2. Backup configuration and data. 3. Apply vendor-provided patch. 4. Restart application services. 5. Verify fix.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block or sanitize requests containing shell metacharacters in command and commandvalues parameters

WAF specific - configure rules to block patterns like ;, |, &, $, (, ), `, >, < in parameters

Access Control Restriction

linux

Restrict access to cominput.jsp and comoutput.jsp endpoints using network controls

iptables -A INPUT -p tcp --dport 80 -m string --string "cominput.jsp" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 80 -m string --string "comoutput.jsp" --algo bm -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate the vulnerable system from critical assets
Deploy a web application firewall with command injection detection rules in blocking mode

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to /cominput.jsp?command=id&commandvalues=test and check if system command output appears in response

Check Version:

Check application version in web interface or configuration files

Verify Fix Applied:

Attempt the same test after patching - should receive error or sanitized response without command execution

📡 Detection & Monitoring

Log Indicators:

Unusual POST/GET requests to cominput.jsp or comoutput.jsp with shell metacharacters
System commands in URL parameters or POST data
Multiple failed exploitation attempts

Network Indicators:

HTTP requests containing shell commands like whoami, id, ls, cat, wget, curl in parameters
Outbound connections from web server to unusual destinations

SIEM Query:

source="web_logs" AND (uri="*cominput.jsp*" OR uri="*comoutput.jsp*") AND (param="*;*" OR param="*|*" OR param="*&*" OR param="*`*")

📊 Metadata

CVE ID: CVE-2021-29393

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: February 4, 2022

Last Updated: November 21, 2024

🔗 References

https://ardent-security.com Third Party Advisory
https://ardent-security.com/en/advisory/asa-2021-01/ Third Party Advisory
https://ardent-security.com Third Party Advisory
https://ardent-security.com/en/advisory/asa-2021-01/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29393, you might also want to check these: