CVE-2021-38146
📋 TL;DR
This vulnerability allows remote attackers to read arbitrary files on Wipro Holmes Orchestrator servers via path traversal in the File Download API. Attackers can exploit this by sending specially crafted JSON data containing absolute paths. All systems running the affected version are vulnerable.
💻 Affected Systems
- Wipro Holmes Orchestrator
📦 What is this software?
Holmes by Wipro
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading sensitive files like configuration files, passwords, SSH keys, and database credentials, potentially leading to lateral movement and data exfiltration.
Likely Case
Unauthorized access to sensitive system files, configuration data, and potentially credential theft leading to further system compromise.
If Mitigated
Limited impact with proper network segmentation, file system permissions, and monitoring in place to detect exploitation attempts.
🎯 Exploit Status
Exploitation requires sending a simple HTTP POST request with crafted JSON to the vulnerable endpoint. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.wipro.com/holmes/
Restart Required: No
Instructions:
Contact Wipro support for patch availability and upgrade instructions. Check vendor advisory for updated versions.
🔧 Temporary Workarounds
Network Access Control
allRestrict network access to the Holmes Orchestrator web interface to only trusted IP addresses/networks.
Web Application Firewall Rules
allImplement WAF rules to block requests containing absolute path traversal patterns in JSON payloads.
🧯 If You Can't Patch
- Implement strict file system permissions to limit what files the orchestrator service account can read
- Deploy network segmentation to isolate the orchestrator from sensitive systems and data
🔍 How to Verify
Check if Vulnerable:
Test by sending a POST request to /home/download with JSON containing an absolute path in SearchString field and checking if file contents are returned.Check Version:
Check the orchestrator web interface or configuration files for version information (typically 20.4.1_02_11_2020)Verify Fix Applied:
After applying vendor patches or workarounds, repeat the test to confirm file access is properly restricted.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /home/download with JSON containing absolute paths
- Unusual file access patterns from orchestrator service account
Network Indicators:
- HTTP traffic to /home/download endpoint with JSON payloads containing path traversal patterns
SIEM Query:
source="web_server_logs" AND uri_path="/home/download" AND http_method="POST" AND (body CONTAINS "/etc/" OR body CONTAINS "C:\\" OR body CONTAINS "../")