CVE-2021-37441 – CVE-2021-37441 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-37441?

CVE-2021-37441 has a CVSS score of 8.8 (HIGH). CVE-2021-37441 is a path traversal vulnerability in NCH Axon PBX that allows attackers to delete arbitrary files on the system by manipulating the logdelete parameter. This affects all installations of NCH Axon PBX version 2.22 and earlier. Attackers can potentially delete critical system files, leading to denial of service or system compromise.

📋 TL;DR

CVE-2021-37441 is a path traversal vulnerability in NCH Axon PBX that allows attackers to delete arbitrary files on the system by manipulating the logdelete parameter. This affects all installations of NCH Axon PBX version 2.22 and earlier. Attackers can potentially delete critical system files, leading to denial of service or system compromise.

💻 Affected Systems

Products:

NCH Axon PBX

Versions: v2.22 and earlier

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Axon Pbx by Nch

View all CVEs affecting Axon Pbx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical operating system files, leading to permanent data loss and extended service downtime.

🟠

Likely Case

Denial of service by deleting PBX configuration files, call logs, or system logs, disrupting telephony services.

🟢

If Mitigated

Limited impact if proper file permissions and access controls prevent deletion of critical files.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable via web interface and public proof-of-concept exists.

🏢 Internal Only: HIGH - Even internal attackers or compromised internal systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only web access to the PBX interface. The vulnerability is in the logdelete parameter which accepts path traversal sequences.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.23 or later

Vendor Advisory: https://www.nch.com.au/pbx/index.html

Restart Required: Yes

Instructions:

1. Download latest version from NCH website. 2. Backup current configuration. 3. Install update. 4. Restart Axon PBX service. 5. Verify version is 2.23 or higher.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block requests containing path traversal sequences in the logdelete parameter

WAF rule: Block if request_uri contains 'logdelete?file=/..'

Access Restriction

linux

Restrict access to Axon PBX web interface to trusted IP addresses only

iptables -A INPUT -p tcp --dport [AXON_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [AXON_PORT] -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Axon PBX from untrusted networks
Enable detailed logging and monitoring for file deletion attempts via the web interface

🔍 How to Verify

Check if Vulnerable:

Check if Axon PBX version is 2.22 or earlier via web interface admin panel or system information

Check Version:

Check web interface at http://[axon-ip]:[port]/admin or check installed program version

Verify Fix Applied:

Verify version is 2.23 or higher and test that logdelete parameter no longer accepts path traversal sequences

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing 'logdelete?file=/..' in access logs
Unexpected file deletion events in system logs

Network Indicators:

HTTP POST/GET requests to /logdelete endpoint with suspicious file parameters

SIEM Query:

source="axon_access.log" AND "logdelete?file=/.."

📊 Metadata

CVE ID: CVE-2021-37441

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: July 25, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/0xfml/poc/blob/main/NCH/Axon_2.22_LFI.md Exploit,Third Party Advisory
https://www.nch.com.au/pbx/index.html Product
https://github.com/0xfml/poc/blob/main/NCH/Axon_2.22_LFI.md Exploit,Third Party Advisory
https://www.nch.com.au/pbx/index.html Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37441, you might also want to check these: