CVE-2021-36121
📋 TL;DR
CVE-2021-36121 is an unrestricted file upload vulnerability in Echo ShareCare 8.15.5 that allows authenticated users to upload arbitrary files to arbitrary locations via directory traversal. This leads to remote code execution as the SYSTEM user on Windows systems. Organizations running vulnerable versions of Echo ShareCare are affected.
💻 Affected Systems
- Echo ShareCare
📦 What is this software?
Sharecare by Echobh
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining SYSTEM privileges, allowing complete control over the server, data theft, and lateral movement within the network.
Likely Case
Remote code execution leading to malware deployment, data exfiltration, and persistence establishment on affected systems.
If Mitigated
Limited impact with proper network segmentation and file upload restrictions, potentially only affecting the ShareCare application.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Public proof-of-concept demonstrates the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.15.6 or later
Vendor Advisory: https://www.echobh.com/security-advisory/
Restart Required: Yes
Instructions:
1. Contact Echo support for the latest patched version. 2. Backup configuration and data. 3. Install the updated version. 4. Restart the ShareCare service. 5. Verify the fix is applied.
🔧 Temporary Workarounds
Restrict File Upload Endpoint
windowsBlock or restrict access to the vulnerable endpoint using web application firewall or network controls.
# Example IIS URL Rewrite rule to block Access/DownloadFeed_Mnt/FileUpload_Upd.cfm
<rule name="Block ShareCare File Upload" stopProcessing="true">
<match url="Access/DownloadFeed_Mnt/FileUpload_Upd\.cfm" />
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access Denied" />
</rule>
Implement File Upload Validation
allAdd server-side validation to restrict file types and prevent directory traversal in file uploads.
# Implement in ColdFusion application code
<cfif NOT IsValid("regex", form.name1, "^[a-zA-Z0-9_\-\.]+\.(txt|pdf|docx)$")>
<cfthrow message="Invalid filename" />
</cfif>
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ShareCare servers from critical systems.
- Enforce least privilege for ShareCare service accounts and monitor for suspicious file upload activities.
🔍 How to Verify
Check if Vulnerable:
Check if ShareCare version is 8.15.5 or earlier and if the file upload endpoint is accessible to authenticated users.Check Version:
Check ShareCare administration interface or application configuration files for version information.Verify Fix Applied:
Verify ShareCare version is 8.15.6 or later and test that file upload with directory traversal payloads is blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload requests to Access/DownloadFeed_Mnt/FileUpload_Upd.cfm
- Files with suspicious names or paths containing ../ sequences
- Execution of unexpected files from ShareCare directories
Network Indicators:
- HTTP POST requests to the vulnerable endpoint with filename parameters containing path traversal sequences
SIEM Query:
source="sharecare_logs" AND (uri="*FileUpload_Upd.cfm*" AND (filename="*../*" OR filename="*..\\*"))