CVE-2021-37447 – This vulnerability allows authenticated users i... (How to Fix)

Q: What is the severity of CVE-2021-37447?

CVE-2021-37447 has a CVSS score of 8.1 (HIGH). This vulnerability allows authenticated users in NCH Quorum conference software to delete arbitrary files via directory traversal in the documentdelete endpoint. Attackers can delete critical system files by manipulating the 'file' parameter with '../' sequences. All organizations running NCH Quorum v2.03 or earlier are affected.

📋 TL;DR

This vulnerability allows authenticated users in NCH Quorum conference software to delete arbitrary files via directory traversal in the documentdelete endpoint. Attackers can delete critical system files by manipulating the 'file' parameter with '../' sequences. All organizations running NCH Quorum v2.03 or earlier are affected.

💻 Affected Systems

Products:

NCH Quorum

Versions: v2.03 and earlier

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. The vulnerability requires authenticated access.

📦 What is this software?

Quorum by Nchsoftware

View all CVEs affecting Quorum →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical operating system files, leading to system crashes, data loss, or service disruption.

🟠

Likely Case

Unauthorized deletion of application files, configuration files, or user documents causing service disruption and data loss.

🟢

If Mitigated

Limited impact with proper file permissions and monitoring, potentially only affecting non-critical application files.

🌐 Internet-Facing: HIGH if the application is exposed to the internet, as authenticated users can exploit this remotely.

🏢 Internal Only: MEDIUM for internal networks, as attackers would need internal network access and valid credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation is straightforward with authenticated access. Public proof-of-concept demonstrates the directory traversal technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.04 or later

Vendor Advisory: https://www.nch.com.au/conference/index.html

Restart Required: Yes

Instructions:

1. Download the latest version from NCH website. 2. Backup current configuration and data. 3. Install the update. 4. Restart the Quorum service. 5. Verify the fix by testing the documentdelete endpoint.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement web application firewall or middleware to filter '../' sequences in file parameters

Depends on specific WAF or middleware configuration

File Permission Restriction

linux

Run Quorum service with minimal file system permissions to limit damage scope

chmod 750 /path/to/quorum/files
setfacl -m u:quorumuser:rx /path/to/critical

🧯 If You Can't Patch

Implement strict network segmentation to isolate Quorum servers from critical infrastructure
Enable detailed logging and monitoring of file deletion operations and implement alerting

🔍 How to Verify

Check if Vulnerable:

Test the documentdelete endpoint with '../' sequences in the file parameter while authenticated

Check Version:

Check Quorum web interface or configuration files for version information

Verify Fix Applied:

Attempt the same directory traversal attack after patching - it should be blocked or return an error

📡 Detection & Monitoring

Log Indicators:

HTTP requests to documentdelete with '../' in parameters
Unexpected file deletion events in system logs

Network Indicators:

HTTP POST/GET requests containing '..' patterns to Quorum endpoints

SIEM Query:

source="web_logs" AND uri="*documentdelete*" AND (param="*../*" OR param="*..\*" OR param="*%2e%2e%2f*")

📊 Metadata

CVE ID: CVE-2021-37447

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-22

Published: July 25, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/0xfml/poc/blob/main/NCH/Quorum_2.03_LFI.md Exploit,Third Party Advisory
https://www.nch.com.au/conference/index.html Product
https://github.com/0xfml/poc/blob/main/NCH/Quorum_2.03_LFI.md Exploit,Third Party Advisory
https://www.nch.com.au/conference/index.html Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37447, you might also want to check these: