CVE-2021-37364 – OpenClinic GA 5.194.18 has insecure file permis... (How to Fix)

Q: What is the severity of CVE-2021-37364?

CVE-2021-37364 has a CVSS score of 7.8 (HIGH). OpenClinic GA 5.194.18 has insecure file permissions that allow authenticated low-privilege users to replace critical service executables with malicious files. When the system restarts, these malicious files execute with SYSTEM privileges, granting attackers full system control. This affects all installations using default permissions.

📋 TL;DR

OpenClinic GA 5.194.18 has insecure file permissions that allow authenticated low-privilege users to replace critical service executables with malicious files. When the system restarts, these malicious files execute with SYSTEM privileges, granting attackers full system control. This affects all installations using default permissions.

💻 Affected Systems

Products:

OpenClinic GA

Versions: 5.194.18 and likely earlier versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Default installation with standard permissions is vulnerable. Requires authenticated user access.

📦 What is this software?

Openclinic Ga by Openclinic Ga Project

View all CVEs affecting Openclinic Ga →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, allowing complete control over the server, data theft, and lateral movement within the network.

🟠

Likely Case

Privilege escalation from low-privilege authenticated user to SYSTEM, enabling persistence, data manipulation, and further attacks.

🟢

If Mitigated

Limited to low-privilege user capabilities with no ability to escalate privileges or execute arbitrary code.

🌐 Internet-Facing: MEDIUM - Requires authenticated access, but internet-facing systems could be targeted if credentials are compromised.

🏢 Internal Only: HIGH - Internal users with low privileges can exploit this to gain SYSTEM access on affected servers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access and system restart to trigger. Unquoted service path issues may provide additional attack vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Apply workarounds and consider alternative software if possible.

🔧 Temporary Workarounds

Restrict File Permissions

windows

Remove modify permissions for Authenticated Users group on OpenClinic installation folders, particularly bin directories containing mysqld.exe and tomcat8.exe.

icacls "C:\Program Files\OpenClinic\bin" /remove:g "Authenticated Users" /T
icacls "C:\Program Files\OpenClinic\bin" /deny "Authenticated Users":(M)

Fix Unquoted Service Paths

windows

Ensure all service paths in Windows Services are properly quoted to prevent path interception attacks.

sc config "OpenClinic Service Name" binPath= "\"C:\Program Files\OpenClinic\bin\service.exe\""

🧯 If You Can't Patch

Implement strict access controls and monitor for unauthorized file modifications in OpenClinic directories.
Segment network to isolate OpenClinic servers and implement application allowlisting to prevent execution of unauthorized binaries.

🔍 How to Verify

Check if Vulnerable:

Check file permissions on OpenClinic bin directories: icacls "C:\Program Files\OpenClinic\bin\mysqld.exe" and icacls "C:\Program Files\OpenClinic\bin\tomcat8.exe" - look for Authenticated Users having Modify or Full Control permissions.

Check Version:

Check OpenClinic version in application interface or installation directory properties.

Verify Fix Applied:

Verify Authenticated Users group no longer has modify permissions on critical executables and service paths are properly quoted in Windows Services.

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4663 (File system modification) for OpenClinic bin directories
Unexpected service restarts or process creations from OpenClinic directories

Network Indicators:

Outbound connections from OpenClinic server to unknown external IPs following system restart

SIEM Query:

EventID=4663 AND ObjectName LIKE '%OpenClinic%bin%' AND Accesses LIKE '%WRITE_DAC%' OR Accesses LIKE '%WRITE_OWNER%' OR Accesses LIKE '%DELETE%'

📊 Metadata

CVE ID: CVE-2021-37364

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-732

Published: October 26, 2021

Last Updated: November 21, 2024

🔗 References

https://sourceforge.net/projects/open-clinic/ Third Party Advisory
https://sourceforge.net/projects/open-clinic/files/latest/download Third Party Advisory
https://www.exploit-db.com/exploits/50448 Third Party Advisory,VDB Entry
https://sourceforge.net/projects/open-clinic/ Third Party Advisory
https://sourceforge.net/projects/open-clinic/files/latest/download Third Party Advisory
https://www.exploit-db.com/exploits/50448 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37364, you might also want to check these: