CVE-2021-3378 – CVE-2021-3378 is an arbitrary file upload vulne... (How to Fix)

Q: What is the severity of CVE-2021-3378?

CVE-2021-3378 has a CVSS score of 9.8 (CRITICAL). CVE-2021-3378 is an arbitrary file upload vulnerability in FortiLogger that allows attackers to upload malicious files by sending a Content-Type: image/png header to a specific endpoint. This affects FortiLogger version 4.4.2.2 and can lead to remote code execution. Organizations using this specific version of FortiLogger are vulnerable.

📋 TL;DR

CVE-2021-3378 is an arbitrary file upload vulnerability in FortiLogger that allows attackers to upload malicious files by sending a Content-Type: image/png header to a specific endpoint. This affects FortiLogger version 4.4.2.2 and can lead to remote code execution. Organizations using this specific version of FortiLogger are vulnerable.

💻 Affected Systems

Products:

FortiLogger

Versions: 4.4.2.2

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the web interface component and requires the affected endpoint to be accessible.

📦 What is this software?

Fortilogger by Fortilogger

View all CVEs affecting Fortilogger →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Web shell deployment leading to persistent access, data exfiltration, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation, web application firewalls, and file upload restrictions in place.

🌐 Internet-Facing: HIGH - Directly exploitable via HTTP requests without authentication, making internet-facing instances immediate targets.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts and proof-of-concept code are available, making exploitation trivial for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 4.4.2.2

Vendor Advisory: https://www.fortinet.com/support/product-security

Restart Required: Yes

Instructions:

1. Upgrade FortiLogger to the latest version. 2. Apply any security patches from Fortinet. 3. Restart the FortiLogger service after patching.

🔧 Temporary Workarounds

Block vulnerable endpoints

all

Use web application firewall or network firewall to block access to /Config/SaveUploadedHotspotLogoFile and /Assets/temp/hotspot/img/logohotspot.asp

Restrict file uploads

all

Configure server to only accept specific file types and validate file content, not just headers

🧯 If You Can't Patch

Isolate FortiLogger instance in a separate network segment with strict access controls
Implement web application firewall with rules to detect and block file upload exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if FortiLogger version is 4.4.2.2 and test if file upload to /Config/SaveUploadedHotspotLogoFile with Content-Type: image/png header is accepted

Check Version:

Check FortiLogger web interface or configuration files for version information

Verify Fix Applied:

Verify FortiLogger version is updated beyond 4.4.2.2 and test that the file upload vulnerability is no longer exploitable

📡 Detection & Monitoring

Log Indicators:

Unusual file upload requests to /Config/SaveUploadedHotspotLogoFile
ASP file creation in /Assets/temp/hotspot/img/ directory
Multiple failed upload attempts with different file types

Network Indicators:

HTTP POST requests to vulnerable endpoint with image/png header but non-image content
Subsequent requests to uploaded ASP files

SIEM Query:

source="fortilogger" AND (uri="/Config/SaveUploadedHotspotLogoFile" OR uri="/Assets/temp/hotspot/img/*.asp")

📊 Metadata

CVE ID: CVE-2021-3378

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: February 1, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/161601/FortiLogger-4.4.2.2-Arbitrary-File-Upload.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/161974/FortiLogger-Arbitrary-File-Upload.html Exploit,Third Party Advisory,VDB Entry
https://github.com/erberkan/fortilogger_arbitrary_fileupload Exploit,Third Party Advisory
http://packetstormsecurity.com/files/161601/FortiLogger-4.4.2.2-Arbitrary-File-Upload.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/161974/FortiLogger-Arbitrary-File-Upload.html Exploit,Third Party Advisory,VDB Entry
https://github.com/erberkan/fortilogger_arbitrary_fileupload Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3378, you might also want to check these: