CVE-2021-34422 – The Keybase Client for Windows contains a path ... (How to Fix)

Q: What is the severity of CVE-2021-34422?

CVE-2021-34422 has a CVSS score of 7.2 (HIGH). The Keybase Client for Windows contains a path traversal vulnerability that allows malicious users to upload specially named files to shared folders, potentially leading to remote code execution. This affects Windows users running Keybase Client versions before 5.7.0 who use team folder sharing features.

📋 TL;DR

The Keybase Client for Windows contains a path traversal vulnerability that allows malicious users to upload specially named files to shared folders, potentially leading to remote code execution. This affects Windows users running Keybase Client versions before 5.7.0 who use team folder sharing features.

💻 Affected Systems

Products:

Keybase Client

Versions: Windows versions before 5.7.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires use of team folder sharing or public folder sharing features.

📦 What is this software?

Keybase by Keybase

View all CVEs affecting Keybase →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on victim's machine if combined with public folder sharing, allowing attacker to execute arbitrary applications.

🟠

Likely Case

Local file system manipulation through crafted file names in shared folders, potentially leading to arbitrary file writes.

🟢

If Mitigated

Limited to file name manipulation without execution if proper file validation is in place.

🌐 Internet-Facing: MEDIUM - Requires user interaction with shared folders but can be exploited remotely through public folder sharing.

🏢 Internal Only: MEDIUM - Exploitable within teams/organizations using shared folders.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access to upload files to shared folders and victim interaction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.7.0 and later

Vendor Advisory: https://explore.zoom.us/en/trust/security/security-bulletin

Restart Required: Yes

Instructions:

1. Open Keybase Client. 2. Go to Settings > About. 3. Check version. 4. If below 5.7.0, download latest version from keybase.io. 5. Install update. 6. Restart Keybase Client.

🔧 Temporary Workarounds

Disable Team Folder Sharing

windows

Temporarily disable team folder sharing features until patched.

Restrict Public Folder Access

windows

Limit or disable public folder sharing to reduce attack surface.

🧯 If You Can't Patch

Disable all shared folder functionality in Keybase Client settings
Implement strict file upload validation at network perimeter for Keybase traffic

🔍 How to Verify

Check if Vulnerable:

Check Keybase Client version in Settings > About. If version is below 5.7.0, system is vulnerable.

Check Version:

keybase --version

Verify Fix Applied:

Verify version is 5.7.0 or higher in Settings > About after update.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload patterns to shared folders
Files with suspicious path characters in names

Network Indicators:

Keybase client connections uploading files with unusual names

SIEM Query:

source="keybase" AND (event="file_upload" AND file_name CONTAINS ".." OR file_name CONTAINS "/" OR file_name CONTAINS "\")

📊 Metadata

CVE ID: CVE-2021-34422

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-22

Published: November 11, 2021

Last Updated: November 21, 2024

🔗 References

https://explore.zoom.us/en/trust/security/security-bulletin Vendor Advisory
https://explore.zoom.us/en/trust/security/security-bulletin Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34422, you might also want to check these: