CVE-2021-37443 – CVE-2021-37443 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-37443?

CVE-2021-37443 has a CVSS score of 8.1 (HIGH). CVE-2021-37443 is a path traversal vulnerability in NCH IVM Attendant that allows attackers to delete arbitrary files on the server via the logdeleteselected check0 parameter. This affects all users running NCH IVM Attendant version 5.12 and earlier. The vulnerability enables file deletion without proper path validation.

📋 TL;DR

CVE-2021-37443 is a path traversal vulnerability in NCH IVM Attendant that allows attackers to delete arbitrary files on the server via the logdeleteselected check0 parameter. This affects all users running NCH IVM Attendant version 5.12 and earlier. The vulnerability enables file deletion without proper path validation.

💻 Affected Systems

Products:

NCH IVM Attendant

Versions: v5.12 and earlier

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations with the vulnerable parameter exposed, typically through web interface.

📦 What is this software?

Ivm Attendant by Nchsoftware

View all CVEs affecting Ivm Attendant →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, leading to service disruption, data loss, or operating system instability.

🟠

Likely Case

Deletion of application files causing service disruption, potential data loss, and possible privilege escalation if system files are targeted.

🟢

If Mitigated

Limited to application directory if proper file permissions are configured, causing only application-specific disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required, no authentication needed based on available PoC.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.13 or later

Vendor Advisory: https://www.nch.com.au/ivm/index.html

Restart Required: Yes

Instructions:

1. Download latest version from NCH website. 2. Backup configuration. 3. Install update. 4. Restart IVM Attendant service.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement web application firewall or input validation to block path traversal patterns

WAF rule: block requests containing '../' or '..\' in parameters

File Permission Restriction

all

Restrict IVM Attendant process to only necessary directories

chmod 750 /path/to/ivm (Linux)
icacls "C:\Program Files\IVM" /deny Everyone:(OI)(CI)(DE) (Windows)

🧯 If You Can't Patch

Isolate IVM Attendant on separate network segment with strict firewall rules
Implement application-level input validation to sanitize the logdeleteselected parameter

🔍 How to Verify

Check if Vulnerable:

Check if version is 5.12 or earlier via web interface or installation directory

Check Version:

Check Help > About in application or examine installation files

Verify Fix Applied:

Verify version is 5.13 or later and test parameter with traversal attempts

📡 Detection & Monitoring

Log Indicators:

HTTP requests with '../' or '..\' in logdeleteselected parameter
File deletion errors in application logs

Network Indicators:

HTTP POST requests to IVM endpoints with path traversal patterns

SIEM Query:

source="web_logs" AND (uri="*logdeleteselected*" AND (param="*../*" OR param="*..\\*"))

📊 Metadata

CVE ID: CVE-2021-37443

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-22

Published: July 25, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/0xfml/poc/blob/main/NCH/IVM_5.12_LFI.md Exploit,Third Party Advisory
https://www.nch.com.au/ivm/index.html Product
https://github.com/0xfml/poc/blob/main/NCH/IVM_5.12_LFI.md Exploit,Third Party Advisory
https://www.nch.com.au/ivm/index.html Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37443, you might also want to check these: