Login Sign Up

CVE-2021-31800

9.8 CRITICAL
Remote Code Execution Path Traversal

📋 TL;DR

CVE-2021-31800 is a critical path traversal vulnerability in Impacket's SMB server (smbserver.py) that allows attackers to read and write arbitrary files using directory traversal sequences (../). This affects anyone running Impacket's SMB server component, particularly penetration testers and security researchers who use it for legitimate purposes, but also any production systems where it might be deployed.

💻 Affected Systems

Products:
  • Impacket
Versions: All versions through 0.9.22
Operating Systems: All operating systems running Python
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the SMB server component (smbserver.py), not other Impacket modules. Most vulnerable when used in penetration testing or red teaming scenarios.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Impacket by Secureauth

View all CVEs affecting Impacket →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution by replacing critical files like /etc/shadow or SSH authorized_keys, leading to complete system takeover.

🟠

Likely Case

Unauthorized file access and modification, potentially exposing sensitive data or enabling lateral movement within a network.

🟢

If Mitigated

Limited impact if SMB server runs with minimal privileges and proper file system permissions restrict access to sensitive areas.

🌐 Internet-Facing: HIGH - If exposed to the internet, attackers can directly exploit without network access requirements.
🏢 Internal Only: HIGH - Even internally, any attacker with network access to the SMB server can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward - attackers simply need to connect to the SMB server and use directory traversal sequences in file operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.23 and later

Vendor Advisory: https://github.com/SecureAuthCorp/impacket/commit/49c643bf66620646884ed141c94e5fdd85bcdd2f

Restart Required: Yes

Instructions:

1. Update Impacket using pip: 'pip install --upgrade impacket==0.9.23' 2. Restart any running smbserver.py instances 3. Verify the fix by checking the version

🔧 Temporary Workarounds

Disable SMB Server

all

Stop using the vulnerable smbserver.py component entirely

pkill -f smbserver.py
systemctl stop any custom services using smbserver

Run with Restricted Permissions

linux

Run smbserver.py with minimal privileges and in a chroot/jail environment

sudo -u nobody python smbserver.py
chroot /restricted/path python smbserver.py

🧯 If You Can't Patch

  • Isolate the SMB server on a dedicated network segment with strict firewall rules
  • Run the SMB server in a container with read-only filesystem mounts for sensitive directories

🔍 How to Verify

Check if Vulnerable:

Check Impacket version: if version <= 0.9.22 and smbserver.py is running, the system is vulnerable

Check Version:

python -c "import impacket; print(impacket.__version__)"

Verify Fix Applied:

Verify version is 0.9.23 or higher and test that directory traversal attempts are properly blocked

📡 Detection & Monitoring

Log Indicators:

  • SMB requests containing '../' sequences
  • Unauthorized file access attempts to sensitive paths

Network Indicators:

  • SMB traffic to non-standard ports running Impacket's SMB server
  • Multiple failed file operations with traversal patterns

SIEM Query:

source="smbserver.log" AND "../" OR source="auth.log" AND process="smbserver.py" AND (event="file_access" OR event="permission_denied")

📊 Metadata

CVE ID: CVE-2021-31800
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: May 5, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31800, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)