CVE-2021-34820 – CVE-2021-34820 is a directory traversal vulnera... (How to Fix)

Q: What is the severity of CVE-2021-34820?

CVE-2021-34820 has a CVSS score of 7.5 (HIGH). CVE-2021-34820 is a directory traversal vulnerability in the Novus HTTP Server that allows unauthenticated attackers to access arbitrary files on the server via specially crafted HTTP GET requests. This affects Novus Management System (NMS) software up to version 1.51.2, potentially exposing sensitive configuration files, credentials, and other system data.

📋 TL;DR

CVE-2021-34820 is a directory traversal vulnerability in the Novus HTTP Server that allows unauthenticated attackers to access arbitrary files on the server via specially crafted HTTP GET requests. This affects Novus Management System (NMS) software up to version 1.51.2, potentially exposing sensitive configuration files, credentials, and other system data.

💻 Affected Systems

Products:

Novus Management System (NMS)

Versions: Up to and including 1.51.2

Operating Systems: All platforms running NMS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Novus HTTP Server component within NMS installations. No special configuration required for exploitation.

📦 What is this software?

Novus Management System by Aat

View all CVEs affecting Novus Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through access to sensitive files like configuration files containing credentials, leading to lateral movement and full control of affected systems.

🟠

Likely Case

Exfiltration of sensitive configuration data, credentials, and system files that could enable further attacks or data breaches.

🟢

If Mitigated

Limited impact with proper network segmentation, file system permissions, and monitoring in place to detect traversal attempts.

🌐 Internet-Facing: HIGH - Directly exploitable via HTTP requests without authentication, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised internal systems, but with more limited attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP GET requests with directory traversal sequences. Public exploit code and technical details are available in the referenced disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.51.2

Vendor Advisory: Not provided in references

Restart Required: Yes

Instructions:

1. Identify affected NMS installations. 2. Upgrade to version after 1.51.2. 3. Restart the Novus HTTP Server service. 4. Verify the fix by testing for directory traversal.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict access to the Novus HTTP Server to only trusted networks and IP addresses.

Use firewall rules to limit access: iptables -A INPUT -p tcp --dport [NMS_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [NMS_PORT] -j DROP

Web Application Firewall

all

Deploy a WAF to block directory traversal patterns in HTTP requests.

Configure WAF rules to detect and block sequences like '../', '..\', and encoded variants.

🧯 If You Can't Patch

Implement strict file system permissions to limit what files the HTTP server process can access.
Deploy network segmentation to isolate NMS systems from sensitive networks and monitor for traversal attempts.

🔍 How to Verify

Check if Vulnerable:

Test with HTTP GET requests containing directory traversal sequences (e.g., GET /../../etc/passwd) to the NMS server and check for file access.

Check Version:

Check NMS version via web interface or configuration files; consult vendor documentation for exact location.

Verify Fix Applied:

After patching, repeat the traversal test; successful requests should return error messages or be blocked.

📡 Detection & Monitoring

Log Indicators:

HTTP logs showing requests with '../' or similar traversal patterns
Access to unexpected files or directories by the HTTP server process

Network Indicators:

HTTP GET requests with encoded or plain directory traversal sequences
Unusual file access patterns from external IPs

SIEM Query:

source="web_logs" AND (uri="*../*" OR uri="*..\\*" OR uri="*%2e%2e%2f*")

📊 Metadata

CVE ID: CVE-2021-34820

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: July 19, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/163453/Novus-Management-System-Directory-Traversal-Cross-Site-Scripting.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2021/Jul/20 Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/163453/Novus-Management-System-Directory-Traversal-Cross-Site-Scripting.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2021/Jul/20 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34820, you might also want to check these: