CVE-2021-33191 – This vulnerability in Apache NiFi MiNiFi C++ al... (How to Fix)

Q: What is the severity of CVE-2021-33191?

CVE-2021-33191 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Apache NiFi MiNiFi C++ allows remote attackers to execute arbitrary commands with the same privileges as the application binary. Attackers can modify the 'agent-update' command through a 'c2-update' command to execute malicious code. All systems running vulnerable versions of Apache NiFi MiNiFi C++ with C2 protocol enabled are affected.

📋 TL;DR

This vulnerability in Apache NiFi MiNiFi C++ allows remote attackers to execute arbitrary commands with the same privileges as the application binary. Attackers can modify the 'agent-update' command through a 'c2-update' command to execute malicious code. All systems running vulnerable versions of Apache NiFi MiNiFi C++ with C2 protocol enabled are affected.

💻 Affected Systems

Products:

Apache NiFi MiNiFi C++

Versions: 0.5.0 through 0.9.0

Operating Systems: All operating systems where Apache NiFi MiNiFi C++ runs

Default Config Vulnerable: ⚠️ Yes

Notes: Requires C2 protocol to be enabled and accessible. The vulnerability exists in the default configuration when C2 is used.

📦 What is this software?

Nifi Minifi C\+\+ by Apache

View all CVEs affecting Nifi Minifi C\+\+ →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root/administrator privileges, allowing complete control over the host system, data exfiltration, and lateral movement.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, or installation of backdoors/malware.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are implemented, potentially containing the breach to a single system.

🌐 Internet-Facing: HIGH - The C2 protocol may be exposed to external networks, allowing remote exploitation without authentication.

🏢 Internal Only: HIGH - Even internally, the vulnerability can be exploited by attackers who gain network access or through compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit once an attacker can send commands to the C2 endpoint. No authentication is required for the vulnerable command.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.10.0 and later

Vendor Advisory: https://lists.apache.org/thread.html/r6f27a2454f5f67dbe4e21c8eb1db537b01863a0bc3758f28aa60f032%40%3Cannounce.apache.org%3E

Restart Required: Yes

Instructions:

1. Download Apache NiFi MiNiFi C++ version 0.10.0 or later from the official Apache website. 2. Stop the MiNiFi service. 3. Replace the binary with the patched version. 4. Restart the MiNiFi service. 5. Verify the service is running correctly.

🔧 Temporary Workarounds

Disable C2 Protocol

all

Disable the C2 protocol if not required for your use case to prevent exploitation.

Edit MiNiFi configuration file (typically minifi.properties) and set 'nifi.c2.enable' to 'false'

Network Segmentation

all

Restrict network access to the C2 protocol endpoint using firewall rules.

iptables -A INPUT -p tcp --dport [C2_PORT] -j DROP (Linux)
New-NetFirewallRule -DisplayName "Block MiNiFi C2" -Direction Inbound -Protocol TCP -LocalPort [C2_PORT] -Action Block (Windows)

🧯 If You Can't Patch

Implement strict network access controls to isolate MiNiFi instances from untrusted networks.
Run MiNiFi with minimal privileges (non-root user) to limit potential damage from exploitation.

🔍 How to Verify

Check if Vulnerable:

Check the MiNiFi version and verify if C2 protocol is enabled. Vulnerable versions are 0.5.0 through 0.9.0.

Check Version:

./minifi --version (Linux) or minifi.exe --version (Windows)

Verify Fix Applied:

Verify the installed version is 0.10.0 or later and test that C2 commands cannot execute arbitrary binaries.

📡 Detection & Monitoring

Log Indicators:

Unusual C2 protocol activity
Execution of unexpected binaries or commands
Failed update attempts from unexpected sources

Network Indicators:

Unexpected network connections to/from MiNiFi C2 port
Suspicious C2 protocol traffic patterns

SIEM Query:

source="minifi.log" AND ("c2-update" OR "agent-update") AND NOT expected_source_ip

📊 Metadata

CVE ID: CVE-2021-33191

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: August 24, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/08/24/1 Mailing List,Third Party Advisory
https://lists.apache.org/thread.html/r6f27a2454f5f67dbe4e21c8eb1db537b01863a0bc3758f28aa60f032%40%3Cannounce.apache.org%3E
https://www.openwall.com/lists/oss-security/2021/08/24/1 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/08/24/1 Mailing List,Third Party Advisory
https://lists.apache.org/thread.html/r6f27a2454f5f67dbe4e21c8eb1db537b01863a0bc3758f28aa60f032%40%3Cannounce.apache.org%3E
https://www.openwall.com/lists/oss-security/2021/08/24/1 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33191, you might also want to check these: