CVE-2021-35002
📋 TL;DR
This vulnerability allows authenticated remote attackers to upload malicious files through email attachments in BMC Track-It!, leading to remote code execution. Attackers can execute arbitrary code with the privileges of the service account. Organizations using vulnerable versions of BMC Track-It! are affected.
💻 Affected Systems
- BMC Track-It!
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal sensitive data, deploy ransomware, or establish persistent backdoors.
Likely Case
Data exfiltration, lateral movement within the network, and installation of malware or cryptocurrency miners.
If Mitigated
Limited impact with proper network segmentation, file upload restrictions, and monitoring in place.
🎯 Exploit Status
Authentication required but exploit is straightforward once authenticated. ZDI has published technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.21.1 and later
Vendor Advisory: https://community.bmc.com/s/article/Security-vulnerabilities-patched-in-Track-It
Restart Required: Yes
Instructions:
1. Download Track-It! version 20.21.1 or later from BMC support portal. 2. Backup current installation and data. 3. Run the installer with administrative privileges. 4. Restart the Track-It! service and verify functionality.
🔧 Temporary Workarounds
Restrict File Upload Types
windowsConfigure Track-It! to only accept specific safe file extensions for email attachments.
Implement Web Application Firewall
allDeploy WAF rules to block malicious file uploads and suspicious patterns.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Track-It! servers from critical systems
- Deploy endpoint detection and response (EDR) solutions to monitor for suspicious file uploads and execution
🔍 How to Verify
Check if Vulnerable:
Check Track-It! version in administration console or via installed programs list in Windows.Check Version:
Check Track-It! About dialog or Windows Programs and FeaturesVerify Fix Applied:
Verify version is 20.21.1 or later and test email attachment functionality with restricted file types.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads via email attachments
- Execution of unexpected processes from upload directories
- Failed authentication attempts followed by successful uploads
Network Indicators:
- HTTP POST requests with file uploads to Track-It! email endpoints
- Outbound connections from Track-It! server to unknown IPs
SIEM Query:
source="track-it-logs" AND (event="file_upload" AND file_extension NOT IN ("pdf","doc","txt")) OR process_execution FROM upload_directory