CVE-2021-34823 – CVE-2021-34823 is a critical vulnerability in O... (How to Fix)

Q: What is the severity of CVE-2021-34823?

CVE-2021-34823 has a CVSS score of 9.1 (CRITICAL). CVE-2021-34823 is a critical vulnerability in ON24 ScreenShare for macOS that allows unauthenticated remote attackers to read local files and upload them to remote machines via an XXE flaw. The vulnerability affects macOS users running the vulnerable plugin version. Attackers can exploit this through crafted HTTP requests to the plugin's built-in HTTP server.

📋 TL;DR

CVE-2021-34823 is a critical vulnerability in ON24 ScreenShare for macOS that allows unauthenticated remote attackers to read local files and upload them to remote machines via an XXE flaw. The vulnerability affects macOS users running the vulnerable plugin version. Attackers can exploit this through crafted HTTP requests to the plugin's built-in HTTP server.

💻 Affected Systems

Products:

ON24 ScreenShare (DesktopScreenShare.app)

Versions: All versions before 2.0

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is present in the default configuration of the plugin when installed.

📦 What is this software?

Screenshare by On24

View all CVEs affecting Screenshare →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the macOS system with exfiltration of sensitive files, credentials, and user data to attacker-controlled servers.

🟠

Likely Case

Unauthorized access to user documents, configuration files, and potentially sensitive data stored in accessible directories.

🟢

If Mitigated

Limited impact if the plugin is disabled or network access is restricted, though local file access remains a concern.

🌐 Internet-Facing: HIGH - The vulnerability allows unauthenticated remote exploitation via HTTP requests, making internet-exposed systems particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal network systems are still at risk from internal attackers or compromised machines, though exposure is reduced compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP requests to the vulnerable server, which is straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0

Vendor Advisory: https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29105

Restart Required: Yes

Instructions:

1. Download ON24 ScreenShare version 2.0 or later from the official vendor source. 2. Uninstall the previous version. 3. Install the updated version. 4. Restart the system to ensure changes take effect.

🔧 Temporary Workarounds

Disable ON24 ScreenShare Plugin

macOS

Completely disable or uninstall the vulnerable plugin to eliminate the attack surface.

sudo rm -rf /Applications/DesktopScreenShare.app
sudo launchctl unload /Library/LaunchDaemons/com.on24.screenshare.plist

Block Network Access

macOS

Use firewall rules to block incoming HTTP requests to the ON24 ScreenShare server port.

sudo pfctl -f /etc/pf.conf
Add rule: block in proto tcp from any to any port <ON24_PORT>

🧯 If You Can't Patch

Disable the ON24 ScreenShare plugin immediately and remove it from the system.
Implement strict network segmentation and firewall rules to block all traffic to the ON24 service.

🔍 How to Verify

Check if Vulnerable:

Check if DesktopScreenShare.app exists in /Applications and verify its version is below 2.0.

Check Version:

defaults read /Applications/DesktopScreenShare.app/Contents/Info.plist CFBundleShortVersionString

Verify Fix Applied:

Confirm DesktopScreenShare.app version is 2.0 or higher, or verify the application has been completely removed.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to the ON24 service port in system logs
File access attempts from the ON24 process to sensitive directories

Network Indicators:

HTTP traffic to unusual external IPs from the ON24 service
Outbound file transfers initiated by the ON24 process

SIEM Query:

source="macos_system_logs" AND process="DesktopScreenShare" AND (event="http_request" OR event="file_access")

📊 Metadata

CVE ID: CVE-2021-34823

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-611

Published: August 13, 2021

Last Updated: November 21, 2024

🔗 References

https://www.trustwave.com/en-us/resources/security-resources/security-advisories/ Third Party Advisory
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29105 Third Party Advisory
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/ Third Party Advisory
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29105 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34823, you might also want to check these: