CVE-2021-3341
📋 TL;DR
A path traversal vulnerability in DH2i's DxWebEngine component allows attackers to read arbitrary files on the host system via crafted HTTP requests. This affects DxEnterprise and DxOdyssey for Windows versions 19.5 through 20.x before 20.0.219.0. Attackers can potentially access sensitive system files without authentication.
💻 Affected Systems
- DH2i DxEnterprise
- DH2i DxOdyssey
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading of sensitive files like passwords, configuration files, or SSH keys, potentially leading to lateral movement and data exfiltration.
Likely Case
Unauthorized access to sensitive application configuration files, database credentials, or system information that could facilitate further attacks.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to vulnerable services.
🎯 Exploit Status
Exploitation requires network access to the vulnerable HTTP service but no authentication. Path traversal attacks are well-understood and relatively simple to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.0.219.0 or later
Vendor Advisory: https://clients.dh2i.com/Support/Article.aspx?ID=2963454
Restart Required: Yes
Instructions:
1. Download the latest version from DH2i's official website. 2. Stop all DxEnterprise/DxOdyssey services. 3. Run the installer to upgrade to version 20.0.219.0 or later. 4. Restart services and verify functionality.
🔧 Temporary Workarounds
Network Access Restriction
windowsRestrict network access to DxWebEngine HTTP service using firewall rules to only allow trusted IP addresses.
New-NetFirewallRule -DisplayName "Block DxWebEngine External" -Direction Inbound -Protocol TCP -LocalPort 80,443 -RemoteAddress Any -Action Block
Disable DxWebEngine
windowsTemporarily disable the DxWebEngine component if not required for operations.
Stop-Service DxWebEngine
Set-Service DxWebEngine -StartupType Disabled
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable systems from untrusted networks
- Deploy web application firewall (WAF) rules to detect and block path traversal patterns in HTTP requests
🔍 How to Verify
Check if Vulnerable:
Check the installed version of DxEnterprise/DxOdyssey. If version is between 19.5 and 20.x and less than 20.0.219.0, the system is vulnerable.Check Version:
Get-ItemProperty HKLM:\Software\DH2i\DxEnterprise\* | Select-Object VersionVerify Fix Applied:
Verify the version is 20.0.219.0 or later and test that path traversal attempts to access system files are blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' or '..\' patterns in URLs
- Access to unusual file paths via web service logs
- Failed file access attempts to sensitive system directories
Network Indicators:
- HTTP requests with encoded path traversal sequences (%2e%2e%2f, ..%2f)
- Unusual file extensions being requested via HTTP
SIEM Query:
source="web_server_logs" AND (url="*../*" OR url="*..\\*" OR url="*%2e%2e%2f*")